On 2023-01-09 Mo 10:07, Jelte Fennema wrote: > Thanks for clarifying your reasoning. I now agree that ssrootcert=system > is now the best option.
Cool, that looks like a consensus. > >>> 2. Should we allow the same approach with ssl_ca_file on the server side, >>> for client cert validation? >> I don't know enough about this use case to implement it safely. We'd >> have to make sure the HBA entry is checking the hostname (so that we >> do the reverse DNS dance), and I guess we'd need to introduce a new >> clientcert verify-* mode? Also, it seems like server operators are >> more likely to know exactly which roots they need, at least compared >> to clients. I agree the feature is useful, but I'm not excited about >> attaching it to this patchset. I'm confused. A client cert might not have a hostname at all, and isn't used to verify the connecting address, but to verify the username. It needs to have a CN/DN equal to the user name of the connection, or that maps to that name via pg_ident.conf. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
