Postgres Pro
Downloads
Home   >   mailing lists

Thread: more verbose SSL session info for psql

more verbose SSL session info for psql

From
Bear Giles
Date:
This is a small patch - many people (including myself) believe that
all encrypted channels should always clearly communicate to the user
the identity and session parameters of the connection.  This allows
the user to decide whether to abort a connection if they find something
unexpected and unacceptable.

This patch only affects psql, and merely replaces

  SSL connection
  (cipher: DES-CBC3-SHA, bits 168)

with the moderately more useful

  encrypted connection to eris.example.com
  Chaos and Despair, Unlimited.
  Turmoil Division
  (cipher: DES-CBC3-SHA, bits 168)

(Specifically, the "common name", "organization name" and
"organizational unit name" fields of the server's cert.)

Before anyone else points it out, anyone can put anything they want
into their own self-signed cert.  So the value of this is limited
until there's either a trusted local root cert store (like what
web browsers use) or a trusted PKIX infrastructure.  But it's better
than nothing if you routinely connect to multiple servers, and it
will get people used to seeing the information.

Bear
Attachment

Re: more verbose SSL session info for psql

From
John Gray
Date:
On Thu, 2002-05-16 at 05:28, Bear Giles wrote:
[snip]
>
> with the moderately more useful
>
>   encrypted connection to eris.example.com
>   Chaos and Despair, Unlimited.
>   Turmoil Division
>   (cipher: DES-CBC3-SHA, bits 168)
>
> (Specifically, the "common name", "organization name" and
> "organizational unit name" fields of the server's cert.)
>
> Before anyone else points it out, anyone can put anything they want
> into their own self-signed cert.  So the value of this is limited
> until there's either a trusted local root cert store (like what
> web browsers use) or a trusted PKIX infrastructure.  But it's better
> than nothing if you routinely connect to multiple servers, and it
> will get people used to seeing the information.
>

Would it be useful therefore to add [unverified] to the start of the
listing -a trusted certificate verification option later would make this
[verified]? Then the format doesn't change once you implement a trusted
certificate infrastructure.

Regards

John


--
John Gray
Azuli IT
www.azuli.co.uk