Re: 2nd revision of SSL patches

OK, I have added tools.tar.gz to CVS under interfaces/ssl. Peter, you
seem to be saying we don't want these. Is that accurate?

---------------------------------------------------------------------------

Peter Eisentraut wrote:
> Bear Giles writes:
>
> > *) certs are fully validated - valid root certs must be available.
> > This is a hassle, but it means that you *can* trust the identity
> > of the server.
>
> I'm confused. We currently don't have SSL-based authentication, so why do
> we have certificates at all?
>
> > *) the client library can handle hardcoded root certificates, to
> > avoid the need to copy these files.
>
> Hardcoding is evil.
>
> > *) host name of server cert must resolve to IP address, or be a
> > recognized alias. This is more liberal than the previous
> > iteration.
>
> Which is the standard/recommended practice?
>
> > *) the number of bytes transferred is tracked, and the session
> > key is periodically renegotiated.
>
> Define "periodically".
>
> > *) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
> > configuration files have reasonable defaults for each type
> > of use.
>
> Again, what are these certificate management tools for if we don't have
> any need for certificates?
>
> About the code:
>
> * no // comments
>
> * no fprintf(stderr, ...) in library functions
>
> * read_SSL/write_SSL -- If you think these functions are misnamed, rename
> them.
>
> * Isn't there an automated way to generated error message from error codes
> in OpenSSL?
>
> --
> Peter Eisentraut peter_e(at)gmx(dot)net
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026