On Wed, Oct 04, 2017 at 11:47:45AM -0700, Jeff Janes wrote: > On Mon, Oct 2, 2017 at 9:33 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > > It's possible that we could adopt some policy like "if the root.crt file > > exists then default to verify" ... but that seems messy and unreliable, > > so I'm not sure it would really add any security. > > That is what we do. If root.crt exists, we default to verify-ca. > > And yes, it is messy and unreliable. I don't know if it adds any security > or not. > > Or do you mean we could default to verify-full instead of verify-ca?
I would rather psql defaulted to verify-full and let users deal with errors by either a) configuring appropriate trust anchors and provisioning appropriate certificates, or b) disabling verify-full. Users should know that they are using psql(1) insecurely -- it has to be obvious. Yes, this would be a backwards-incompatible change, but security tends to justify this sort of change. Another possibility would be to make this default change only applicable when using postgresql-scheme URIs (which I do, almost religiously -- they are much easier to use than all alternative connection data specifications). Nico -- -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
