Home > mailing lists

Re: Successor of MD5 authentication, let's use SCRAM - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: Successor of MD5 authentication, let's use SCRAM
Date	October 22, 2012 17:57:58
Msg-id	50855EDD.4050705@dunslane.net Whole thread Raw
In response to	Re: Successor of MD5 authentication, let's use SCRAM (Robert Haas <robertmhaas@gmail.com>)
Responses	Re: Successor of MD5 authentication, let's use SCRAM (Robert Haas <robertmhaas@gmail.com>)
List	pgsql-hackers

Tree view

On 10/22/2012 10:18 AM, Robert Haas wrote:
> On Sun, Oct 21, 2012 at 11:02 AM, Martijn van Oosterhout
> <kleptog@svana.org> wrote:
>> It bugs me every time you have to jump through hoops and get red
>> warnings for an unknown CA, whereas no encryption whatsoever is treated
>> as fine while being actually even worse.
> +1.  Amen, brother.
>

Not really, IMNSHO. The difference is that an unencrypted session isn't 
pretending to be secure. In any case, it doesn't seem too intrusive for 
us to warn, at least in psql, with something like:
    SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Host 
Certificate Unverified

If people want to get more paranoid they can always set PGSSLMODE to 
verify-ca or verify-full.


cheers

andrew

pgsql-hackers by date:

From: Stephen Frost
Date: 22 October 2012, 17:24:52
Subject: Re: Deprecations in authentication

From: Peter Eisentraut
Date: 22 October 2012, 18:21:53
Subject: Re: Successor of MD5 authentication, let's use SCRAM

Re: Successor of MD5 authentication, let's use SCRAM - Mailing list pgsql-hackers

Previous

Next