Home > mailing lists

Re: controlling the location of server-side SSL files - Mailing list pgsql-hackers

From	Peter Eisentraut
Subject	Re: controlling the location of server-side SSL files
Date	February 29, 2012 17:33:06
Msg-id	1330540368.30260.0.camel@vanquo.pezone.net Whole thread Raw
In response to	Re: controlling the location of server-side SSL files (Magnus Hagander <magnus@hagander.net>)
Responses	Re: controlling the location of server-side SSL files (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

On ons, 2012-02-08 at 09:16 +0100, Magnus Hagander wrote:
> > I'm still worried about this.  If we ignore a missing root.crt, then the
> > effect is that authentication and certificate verification might fail,
> > which would be annoying, but you'd notice it soon enough.  But if we
> > ignore a missing root.crl, we are creating a security hole.
> >
> 
> Yes, ignoring a missing file in a security context is definitely not good.
> It should throw an error.
> 
> We have a few bad defaults from the old days around SSL for this, but if it
> requires breaking backwards compatibility to get it right, I think we
> should still do it. 

Btw., should we also consider making similar changes on the libpq side?

pgsql-hackers by date:

From: Robert Haas
Date: 29 February 2012, 17:28:00
Subject: Re: LIST OWNED BY...

From: Tom Lane
Date: 29 February 2012, 17:40:26
Subject: Re: Parameterized-path cost comparisons need some work

Re: controlling the location of server-side SSL files - Mailing list pgsql-hackers

Previous

Next