Closed broccolihighkicks closed 2 years ago
native-tls is backed by Security.framework on macOS, which has some more pedantic requirements on certificates that it is willing to accept compared to OpenSSL: https://support.apple.com/en-us/HT210176. It could be that setting the certificate to Always Trust bypasses those extra checks.
danger_accept_invalid_certs
will accept literally any certificate for any site, so it is definitely not the same thing as adding your particular certificate to the keychain.
If you know what certificate you are going to receive (e.g. you're talking to something else you control on the same host) then you don't need to rely on certificate validation. However, I strongly recommend not disabling certificate validation.
Some of the Security.framework behavior linked above is to ignore the common name entry in certificates, instead requiring SAN entries which could explain why you need to disable hostname verification.
Hello,
I am connecting to a Postgres server with a self signed root CA. I have a
ca.crt
from a managed cloud Postgres service.I am comparing the
openssl
andnative-tls
crates - I want to ensure my connections are secure.openssl
works:danger_*
functions.ca.crt
to the macOS keychain.native-tls
only seems to work when:ca.crt
is added to macOS keychain and set to Always Trust.danger_accept_invalid_hostnames(true)
Questions:
A. Why does the
ca.crt
have to be added to the macOS keychain for thenative-tls
version even whendisable_built_in_roots(true).add_root_certificate(cert)
?B. Is
.add_root_certificate(cert).danger_accept_invalid_certs(true)
the same as adding the cert to macOS keychain and setting Always Trust?D. Is
danger_accept_invalid_certs(true)
secure if my connection only usesca.crt
and I trust the integrity of it?Also this seems to work:
E. So why do I have to set
.danger_accept_invalid_hostnames(true)
on thenative-tls
client (does OpenSSL/psql not do the same check)?F. Does
native-tls
work without having to add theca.crt
to the macOS keychain (I want to just provide it via.add_root_certificate(cert)
)Thanks