* Martin Pitt (mpitt@debian.org) wrote:
> Magnus Hagander [2009-04-11 11:50 +0200]:
> > That has just been brought up from previous versions. Perhaps we need to
> > have a system wide root store as well - then you could point that to
> > whatever snakeoil store you have, and it would find the cert correctly?
>=20
> We couldn't set this up by default, of course, since each installed
> machine will have a different snakeoil cert (it gets generated during
> installation).=20
It's worse than that.. Obviously, you can have the client installed on
systems which aren't where the server is (we do this alot..) and there's
no way for a packaging system to pull the cert from the server.
> But at least the servers I know often use something
> like /etc/ssl/certs/<myservername>.crt and point their services (like
> apache, postfix, etc.) to this. However, right now the client side
> psql does not have any system wide configuration files, so adding
> something like this will need some careful design.
If we're going to do something along those lines, we should start by
supporting a CA cert directory or similar. We could then recommend
ca-certificates and default config the client to use those. Of course,
anyone who actually cares about security probably wouldn't install
ca-certificates, but it's what the browsers use.
Thanks,
Stephen