magec
commented
2 weeks ago I think you are right and there is no way of adding new certification authorities with current PgCat. Maybe we should provide a way of trusted CAs.
Open chrisjowen opened 1 month ago
magec
commented
2 weeks ago I think you are right and there is no way of adding new certification authorities with current PgCat. Maybe we should provide a way of trusted CAs.
Is your feature request related to a problem? Please describe.
I believe (which my non existent knowledge of rust) that the server certificates used so validate TSL handshake between the proxy and the client uses the bundled Firefox CA certs only and there's no way to at to these.
Here's where I think this is the case:
https://github.com/postgresml/pgcat/blob/main/src/server.rs#L403
I could be completely wrong so feel free to correct be if I am
Describe the solution you'd like Possibly in the config to have an option to specify additional cert file locations
Describe alternatives you've considered Can't think of any
Additional context
I hit this problem trying to connect to AWS RDS which provides a cert not in the keystore