Skip site navigation (1) Skip section navigation (2)

Re: controlling the location of server-side SSL files

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: controlling the location of server-side SSL files
Date: 2012-02-29 18:32:48
Message-ID: 1330540368.30260.0.camel@vanquo.pezone.net (view raw or flat)
Thread:
Lists: pgsql-hackers
On ons, 2012-02-08 at 09:16 +0100, Magnus Hagander wrote:
> > I'm still worried about this.  If we ignore a missing root.crt, then the
> > effect is that authentication and certificate verification might fail,
> > which would be annoying, but you'd notice it soon enough.  But if we
> > ignore a missing root.crl, we are creating a security hole.
> >
> 
> Yes, ignoring a missing file in a security context is definitely not good.
> It should throw an error.
> 
> We have a few bad defaults from the old days around SSL for this, but if it
> requires breaking backwards compatibility to get it right, I think we
> should still do it. 

Btw., should we also consider making similar changes on the libpq side?


In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2012-02-29 18:40:05
Subject: Re: Parameterized-path cost comparisons need some work
Previous:From: Robert HaasDate: 2012-02-29 18:27:43
Subject: Re: LIST OWNED BY...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group