Re: Upcoming re-releases - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: Upcoming re-releases
Date
Msg-id 6BCB9D8A16AC4241919521715F4D8BCEA0F77A@algol.sollentuna.se
Whole thread Raw
In response to Upcoming re-releases  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Upcoming re-releases
Re: Upcoming re-releases
List pgsql-hackers
> I'm not sure whether our current SSL support does a good job of this
> --- I think it only tries to check whether the server
> presents a valid certificate, not which cert it is.  Possibly
> Kerberos does more, but I dunno a thing about that...

If you stick a root certificate (root.crt in ~/.postgresql) for it to
validate against, it will be validated against that root. I'm not sure
if it validates the common name of the cert though - that would be an
issue if you're using a global CA. If you're using a local enterprise
CA, that's a much smaller issue (because you yourself have total control
over who gets certificates issued by the CA).

The way our Kerberos implementation is done, it does *not* validate the
server, just the client. If you want server verification, you must use a
combination of both Kerberos and SSL.

//Magnus


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Upcoming re-releases
Next
From: Tom Lane
Date:
Subject: Re: Upcoming re-releases