Thread: First cut at SSL documentation

First cut at SSL documentation

From
Bear Giles
Date:
Attached is the first cut at some SSL documetation for the
PostgreSQL manual.  It's in plain text, not DocBook, to make
editing easy for the first few revisions.  The documentation
leads the code by a day or so.

Also, I'm still having problems with the patches list - none
of my recent submissions have gotten through, and I haven't
even gotten the confirmation note from when I tried to resubscribe
to that list.  That's why the main SSL patches haven't appeared yet.

Bear

Attachment

Re: [HACKERS] First cut at SSL documentation

From
Bruce Momjian
Date:
Your patch has been added to the PostgreSQL unapplied patches list at:

    http://candle.pha.pa.us/cgi-bin/pgpatches

I will try to apply it within the next 48 hours.

---------------------------------------------------------------------------


Bear Giles wrote:
> Attached is the first cut at some SSL documetation for the
> PostgreSQL manual.  It's in plain text, not DocBook, to make
> editing easy for the first few revisions.  The documentation
> leads the code by a day or so.
>
> Also, I'm still having problems with the patches list - none
> of my recent submissions have gotten through, and I haven't
> even gotten the confirmation note from when I tried to resubscribe
> to that list.  That's why the main SSL patches haven't appeared yet.
>
> Bear

Content-Description: /tmp/ssldoc

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

Re: [HACKERS] First cut at SSL documentation

From
Bruce Momjian
Date:
Sorry, there is a newer version.  I will use that one.

---------------------------------------------------------------------------

Bear Giles wrote:
> Attached is the first cut at some SSL documetation for the
> PostgreSQL manual.  It's in plain text, not DocBook, to make
> editing easy for the first few revisions.  The documentation
> leads the code by a day or so.
>
> Also, I'm still having problems with the patches list - none
> of my recent submissions have gotten through, and I haven't
> even gotten the confirmation note from when I tried to resubscribe
> to that list.  That's why the main SSL patches haven't appeared yet.
>
> Bear

Content-Description: /tmp/ssldoc

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

Re: [HACKERS] First cut at SSL documentation

From
Bear Giles
Date:
> Sorry, there is a newer version.  I will use that one.

You may want to hold off on that - I've been busy lately and haven't had
a chance to revisit the documentation or change some of the literal constants
to numeric constants, but it's been on my "to do" list.

The latter didn't affect the other patches since I planned on doing a
latter-day patch anyway, but the documentation may need some big changes
to emphasize that the rule that it's "use SSH tunnels if you just want
to prevent eavesdropping, use SSL directly if you need to firmly establish
the identity of the server or clients."

(And sorry about responding via the lists, but your mail server doesn't
like to talk to cable modem users.)

Bear

Re: [HACKERS] First cut at SSL documentation

From
Bruce Momjian
Date:
Bear Giles wrote:
> > Sorry, there is a newer version.  I will use that one.
>
> You may want to hold off on that - I've been busy lately and haven't had
> a chance to revisit the documentation or change some of the literal constants
> to numeric constants, but it's been on my "to do" list.

OK, thanks. I will hold off on the docs part.

Sorry it has taken me so long to get to these SSL patches (my vacation).
I am doing them now.

> The latter didn't affect the other patches since I planned on doing a
> latter-day patch anyway, but the documentation may need some big changes
> to emphasize that the rule that it's "use SSH tunnels if you just want
> to prevent eavesdropping, use SSL directly if you need to firmly establish
> the identity of the server or clients."
>
> (And sorry about responding via the lists, but your mail server doesn't
> like to talk to cable modem users.)

Sorry about the block.  RBL+ has been much more effective lately, and it
is because they are blocking more dialup users.  This the first false
positive I have gotten from them.  You can use momjian@postgresql.org or
route your email through west.navpoint.com.  I will see if I can pass
your IP through.  I can do it in my blacklist, but I am not sure that
works for RBL+.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

Re: [HACKERS] First cut at SSL documentation

From
Larry Rosenman
Date:
* Bruce Momjian <pgman@candle.pha.pa.us> [020613 21:49]:
> Bear Giles wrote:
> > > Sorry, there is a newer version.  I will use that one.
> >
> > You may want to hold off on that - I've been busy lately and haven't had
> > a chance to revisit the documentation or change some of the literal constants
> > to numeric constants, but it's been on my "to do" list.
>
> OK, thanks. I will hold off on the docs part.
>
> Sorry it has taken me so long to get to these SSL patches (my vacation).
> I am doing them now.
>
> > The latter didn't affect the other patches since I planned on doing a
> > latter-day patch anyway, but the documentation may need some big changes
> > to emphasize that the rule that it's "use SSH tunnels if you just want
> > to prevent eavesdropping, use SSL directly if you need to firmly establish
> > the identity of the server or clients."
> >
> > (And sorry about responding via the lists, but your mail server doesn't
> > like to talk to cable modem users.)
>
> Sorry about the block.  RBL+ has been much more effective lately, and it
> is because they are blocking more dialup users.  This the first false
> positive I have gotten from them.  You can use momjian@postgresql.org or
> route your email through west.navpoint.com.  I will see if I can pass
> your IP through.  I can do it in my blacklist, but I am not sure that
> works for RBL+.
If you are using sendmail, the access file overrides the RBL, if you
set delay checks in the MC file.

I can help if you are using sendmail.

LER

>
> --
>   Bruce Momjian                        |  http://candle.pha.pa.us
>   pgman@candle.pha.pa.us               |  (610) 853-3000
>   +  If your life is a hard drive,     |  830 Blythe Avenue
>   +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>

--
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 972-414-9812                 E-Mail: ler@lerctr.org
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749

Re: [HACKERS] First cut at SSL documentation

From
Bruce Momjian
Date:
Larry Rosenman wrote:
> > Sorry about the block.  RBL+ has been much more effective lately, and it
> > is because they are blocking more dialup users.  This the first false
> > positive I have gotten from them.  You can use momjian@postgresql.org or
> > route your email through west.navpoint.com.  I will see if I can pass
> > your IP through.  I can do it in my blacklist, but I am not sure that
> > works for RBL+.
> If you are using sendmail, the access file overrides the RBL, if you
> set delay checks in the MC file.
>
> I can help if you are using sendmail.

Yes, using sendmail.  That is helpful info.  I don't have delay checks
enabled right now, but can easily do that.  Thanks.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

Re: [HACKERS] First cut at SSL documentation

From
Bruce Momjian
Date:
Larry Rosenman wrote:
> > Sorry about the block.  RBL+ has been much more effective lately, and it
> > is because they are blocking more dialup users.  This the first false
> > positive I have gotten from them.  You can use momjian@postgresql.org or
> > route your email through west.navpoint.com.  I will see if I can pass
> > your IP through.  I can do it in my blacklist, but I am not sure that
> > works for RBL+.
> If you are using sendmail, the access file overrides the RBL, if you
> set delay checks in the MC file.
>
> I can help if you are using sendmail.

OK, Bear, configured for 192.168.1.3.  Would you shoot me a personal
email as a test?  Send failure message to momjian@postgresql.org.
Thanks.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026