Skip site navigation (1) Skip section navigation (2)

2nd revision of SSL patches

From: Bear Giles <bgiles(at)coyotesong(dot)com>
To: pgsql-patches(at)postgresql(dot)org
Subject: 2nd revision of SSL patches
Date: 2002-05-21 07:36:09
Message-ID: 200205210736.BAA13044@eris.coyotesong.com (view raw or flat)
Thread:
Lists: pgsql-patches
Another uberpatch for the SSL code.

The main improvements over the last revision include:

 *) certs are fully validated - valid root certs must be available.
    This is a hassle, but it means that you *can* trust the identity
    of the server.

 *) the client library can handle hardcoded root certificates, to
    avoid the need to copy these files.

 *) host name of server cert must resolve to IP address, or be a
    recognized alias.  This is more liberal than the previous 
    iteration.

 *) the number of bytes transferred is tracked, and the session
    key is periodically renegotiated.

 *) basic cert generation scripts (mkcert.sh, pgkeygen.sh).  The
    configuration files have reasonable defaults for each type
    of use.

Remaining issues are:

 *) select() in legacy code?

 *) encrypted private keys

 *) session support (useful if auto-reconnection will be supported)

 *) anonymous DH

 *) fully implemented cert tools

Bear

Attachment: tools.tar.gz
Description: application/tar-gzip (3.9 KB)

Responses

pgsql-patches by date

Next:From: Peter EisentrautDate: 2002-05-22 00:25:50
Subject: Re: 2nd revision of SSL patches
Previous:From: Bear GilesDate: 2002-05-20 20:03:54
Subject: First cut at SSL documentation

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group