Re: sslmode=require fallback - Mailing list pgsql-hackers

From Andreas 'ads' Scherbaum
Subject Re: sslmode=require fallback
Date
Msg-id 5788A39F.5010703@wars-nicht.de
Whole thread Raw
In response to Re: sslmode=require fallback  (Magnus Hagander <magnus@hagander.net>)
List pgsql-hackers
On 14.07.2016 23:34, Magnus Hagander wrote:
>
>
> On Thu, Jul 14, 2016 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us
> <mailto:tgl@sss.pgh.pa.us>> wrote:
>
>     Greg Stark <stark@mit.edu <mailto:stark@mit.edu>> writes:
>     > Well what's required to "configure SSL" anyways? If you don't have
>     > verify-ca set or a root canal cert present then the server just needs a
>     > certificate -- any certificate. Can the server just cons one up on demand
>     > (or server startup or initdb)?
>
>     Hmm, good old "snake oil certificate" approach.  Yeah, we could probably
>     have initdb create a cert all the time.  I had memories of this taking
>     an undue amount of time, but it seems pretty fast on a modern server.
>
>
> It can still take a very significant amount of time in some virtual
> environments, due to lack of entropy. And virtual environments aren't
> exactly uncommon these days...

What expire time would you chose for the certificate? One year? Two years?
Which tool is going to re-generate your new cert, once this one expires? 
You don't want to run initdb again ...


Regards,

--             Andreas 'ads' Scherbaum
German PostgreSQL User Group
European PostgreSQL User Group - Board of Directors
Volunteer Regional Contact, Germany - PostgreSQL Project



pgsql-hackers by date:

Previous
From: Craig Ringer
Date:
Subject: Re: One process per session lack of sharing
Next
From: Dmitriy Sarafannikov
Date:
Subject: Re: [HACKERS] [PERFORM] 9.4 -> 9.5 regression with queries through pgbouncer on RHEL 6