On 9/6/21 6:21 PM, tho...@habets.se wrote: > On Mon, 6 Sep 2021 20:47:37 +0100, Tom Lane <t...@sss.pgh.pa.us> said: >> I'm confused by your description of this patch. AFAIK, OpenSSL verifies >> against the system-wide CA pool by default. Why do we need to do >> anything? > Experimentally, no it doesn't. Or if it does, then it doesn't verify > the CN/altnames of the cert. > > sslmode=require allows self-signed and name mismatch. > > verify-ca errors out if there is no ~/.postgresql/root.crt. verify-full too. > > It seems that currently postgresql verifies the name if and only if > verify-full is used, and then only against ~/.postgresql/root.crt CA file. > > But could be that I missed a config option?
That's my understanding. But can't you specify a CA cert in the system's CA store if necessary? e.g. on my Fedora system I think it's /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
