libpg requires the server’s root CA certificate to be saved in advance for it to verify TLS connections.
What would be the best way to get a Neon endpoint’s root CA cert? I had a look through the docs but I couldn’t see TLS verification mentioned.
I’ve discovered I can run openssl s_client -starttls postgres -connect <hostname>:5432 -verify 5 -showcerts </dev/null to have openssl fetch and verify the certificate chain. This taught me that Neon’s using a Let’s Encrypt cert, so I was able to have libpg use the system CA certs by setting PGSSLROOTCERT=/etc/ssl/certs/ca-certificates.crt. That works, and verifies the cert properly.
I think it’d be a good idea to update the docs on this, as the docs suggest a connection string that will result in no TLS verification - pretty bad if your connection runs over the public internet.
1 Like
Fair enough. We also want to support channel binding that has the same security properties without the necessity to check certificates (password is used as a shared knowledge instead of cert trust chains). But while don’t have channel binding it makes sense to explain how to work with usual certs and publish our cert, so we’ll update docs. Anyway not all clients do support channel binding, so certificates story will be important in the long run too.
Thank you for bringing this up.