Re: Usage of the system truststore for SSL certificate validation
| От | Isaac Morland |
|---|---|
| Тема | Re: Usage of the system truststore for SSL certificate validation |
| Дата | |
| Msg-id | CAMsGm5edBeUxhWM8tbMJg9n1rA2mU2FrYjxLyDd3JzmNd+1gMg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Usage of the system truststore for SSL certificate validation (Thomas Berger <thomas.berger@1und1.de>) |
| Ответы |
Re: Usage of the system truststore for SSL certificate validation
Re: Usage of the system truststore for SSL certificate validation |
| Список | pgsql-hackers |
If we're going to open this up, can we add an option to say "this key is allowed to log in to this account", SSH style?
I like the idea of using keys rather than .pgpass, but I like the ~/.ssh/authorized_keys model and don't like the "set up an entire certificate infrastructure" approach.
On Thu, 19 Sep 2019 at 10:54, Thomas Berger <thomas.berger@1und1.de> wrote:
Hi,
currently, libpq does SSL cerificate validation only against the defined
`PGSSLROOTCERT` file.
Is there any specific reason, why the system truststore ( at least under
unixoid systems) is not considered for the validation?
We would like to contribute a patch to allow certificate validation against
the system truststore. Are there any opinions against it?
A little bit background for this:
Internally we sign the certificates for our systems with our own CA. The CA
root certificates and revocation lists are distributed via puppet and/or
packages on all of our internal systems.
Validating the certificate against this CA requires to either override the
PGSSLROOTCERT location via the environment or provide a copy of the file for
each user that connects with libpq or libpq-like connectors.
We would like to simplify this.
--
Thomas Berger
PostgreSQL DBA
Database Operations
1&1 Telecommunication SE | Ernst-Frey-Straße 10 | 76135 Karlsruhe | Germany
В списке pgsql-hackers по дате отправления: