On Thu, Apr 24, 2025 at 3:16 PM Jelte Fennema-Nio wrote:
> Why is this dangerous? As long as we'd validate that the provided cert
> by the server is for example.com
I can't help but read this as "as long as everyone mitigates the
danger, what's the danger?" We won't be the only implementers of an
On Thu, Apr 24, 2025 at 5:00 AM Peter Eisentraut wrote:
> Another detail to think about is how this affects psql -h localhost. In
> principle, this should require full SSL, but you're probably not going
> to have certificates that allow "localhost". And connections to
> localhost are the default
> On 25 Apr 2025, at 00:16, Jelte Fennema-Nio wrote:
> Let me derail some more, while we're at it I think it would be good to
> add tls-prefixed aliases for all our ssl options. Like tlscert/tlskey.
> Since such a new postgress:// scheme would be totally new, maybe we
> can even disallow the ssl
On Thu, 24 Apr 2025 at 18:46, Jacob Champion
wrote:
>
> On Thu, Apr 24, 2025 at 5:00 AM Peter Eisentraut wrote:
> > I'm generally in favor of making sslmode=verify-full the effective
> > default somehow.
>
> +many
Yes, +many
> Not to derail things too much, but I'd also like a postgress://
> sc
On Thu, Apr 24, 2025 at 5:00 AM Peter Eisentraut wrote:
> I'm generally in favor of making sslmode=verify-full the effective
> default somehow.
+many
On Thu, Apr 24, 2025 at 3:53 AM Christoph Berg wrote:
> For
> postgresql://-style strings, we would ideally have something like http://
> vs http
On 24.04.25 12:53, Christoph Berg wrote:
Now you can say `psql -h db.example.com -p 5433 dbfoo`, but for
specifying the sslmode, you have to rewrite at least the last argument
to use connection string syntax, `psql "dbname=dbfoo sslmode=verify-full`.
This needs be be less cumbersome. (And the nam
Re: George MacKerron
> > Before we can make this change, I think we would have to improve the
> > UX. psql does not even have any --switch for it. PostgreSQL serving
> > non-SSL and SSL on the same port doesn't make the UX better... :-/
>
> How do you think the UX could be improved? Maybe by using
> On Linux/*ix, there would be 3 things that are all the same.
>
> If the Windows Openssl store is that bad, wouldn't the smarter thing
> to do for PG19 to use winstore by default? The Openssl one would still
> be available when requested explicitly. This would avoid the
> proliferation of default
Re: George MacKerron
> SMALLER IDEA
>
> I’d suggest two new special sslrootcert values:
>
> (1) sslrootcert=openssl
>
> This does exactly what sslrootcert=system does now, but is less confusingly
> named for Windows users. sslrootcert=system becomes a deprecated synonym for
> this option.
>
>
