Re: Usage of the system truststore for SSL certificate validation
| От | Ashutosh Sharma |
|---|---|
| Тема | Re: Usage of the system truststore for SSL certificate validation |
| Дата | |
| Msg-id | CAE9k0Pm6_T8FpTGGGX79vc8N_K1sLyo55NC8HynhsK=hb0JMzQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Usage of the system truststore for SSL certificate validation (Thomas Berger <thomas.berger@1und1.de>) |
| Список | pgsql-hackers |
This certainly looks like a good addition to me that can be implemented on both client and server side. It is always good to have a common location where the list of all the certificates from various CA's can be placed for validation. -- With Regards, Ashutosh Sharma EnterpriseDB:http://www.enterprisedb.com On Thu, Sep 19, 2019 at 8:24 PM Thomas Berger <thomas.berger@1und1.de> wrote: > > Hi, > > currently, libpq does SSL cerificate validation only against the defined > `PGSSLROOTCERT` file. > > Is there any specific reason, why the system truststore ( at least under > unixoid systems) is not considered for the validation? > > We would like to contribute a patch to allow certificate validation against > the system truststore. Are there any opinions against it? > > > A little bit background for this: > > Internally we sign the certificates for our systems with our own CA. The CA > root certificates and revocation lists are distributed via puppet and/or > packages on all of our internal systems. > > Validating the certificate against this CA requires to either override the > PGSSLROOTCERT location via the environment or provide a copy of the file for > each user that connects with libpq or libpq-like connectors. > > We would like to simplify this. > > > -- > Thomas Berger > > PostgreSQL DBA > Database Operations > > 1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany > >
В списке pgsql-hackers по дате отправления: