|
|
|
|
|
|
by paulddraper
2362 days ago
|
|
|
> Not all clients can use a default trust store I just put my root certs in ~/.postgresql/root.crt and it all works, right? (unless the root itself changed, but this should be stable) > Not all clients support a certificate chain Any specific examples? psql and PostgreSQL JDBC both support chains. What would even cause that? Handrolling an SSL library? |
|
|
Also ensure sslmode is set to verify-ca or verify-full, either as a set parameter or via the PGSSLMODE environment variable. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-c...
As ever, the #1 tip to maximise confidence in your configuration is to automate it, write a failing test case, then fix the test.
> Any specific examples?
Some of the new-wave SSL implementations (including yaSSL, with which mysql-client can/could be built) didn't always support them (not sure where yaSSL is at now), and the AWS documentation hints that it's cropped up in some circumstance in GovCloud, but I think the most likely circumstances will be enterprise folks using appliances and/or appliance-like software that's configured only via a web UI, one in which they just didn't think chains were necessary (or that only supports a small bundle etc etc; the sky's the limit in this class of software gore). I've seen this exact issue, albeit for an LDAP client not a RDBMS.