Another set of SSL patches have been sent to the patches list.
(No idea when they'll get through the system.) This is a new
baseline set of patches that fix many of the problems identified
earlier and also add a number of security patches.
N.B., some of these changes are visible to the user, but are
common practice for SSL code. The most notable is a minimal
certificate validation that requires that certs be current
(no more expired certs) and that the cert's common name match
the hostname used with contacting the backend.
This means that a cert containing a common name such as
'eris.example.com' *must* be accessed via
psql -h eris.example.com ...
not
psql -h eris ...
A future patch can relax this so that the common name can
resolve to the address returned by getpeername(2).
Client certs are optional, but if they exist they are expected
in the user's home directory, under the .postgresql directory.
Encrypted private keys are not yet supported.
Bear
