security: Make inter-node certificate hostname verification optional #19265
Labels
A-kv-client
Relating to the KV client and the KV interface.
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Milestone
I think that allowing CA-only verification of inter-node TLS connections (ignoring hostnames) would be a useful "semi-secure" mode. This would be operationally easier than the current strict verification and I think it would still provide a useful level of security (unlike the "security theater" of using passwords on insecure pgwire connections while leaving the GRPC interface wide open).
The operational difficulties that would be avoided with this option are
The security risks are
This mode will not be appropriate for all deployments, but I think we may be able to reduce the usage of
--insecure
mode if this option were available. A drawback of this change would be that it takes up documentation space and may also draw people away from the more secure (mitm-proof) modes.More discussion in https://news.ycombinator.com/item?id=15460925. cc @mberhault
The text was updated successfully, but these errors were encountered: