Skip site navigation (1) Skip section navigation (2)

Re: 2nd revision of SSL patches

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Bear Giles <bgiles(at)coyotesong(dot)com>, pgsql-patches(at)postgresql(dot)org
Subject: Re: 2nd revision of SSL patches
Date: 2002-06-16 00:26:16
Message-ID: 200206160026.g5G0QGI27616@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-patches
OK, I have added tools.tar.gz to CVS under interfaces/ssl.  Peter, you
seem to be saying we don't want these.  Is that accurate?

---------------------------------------------------------------------------

Peter Eisentraut wrote:
> Bear Giles writes:
> 
> >  *) certs are fully validated - valid root certs must be available.
> >     This is a hassle, but it means that you *can* trust the identity
> >     of the server.
> 
> I'm confused.  We currently don't have SSL-based authentication, so why do
> we have certificates at all?
> 
> >  *) the client library can handle hardcoded root certificates, to
> >     avoid the need to copy these files.
> 
> Hardcoding is evil.
> 
> >  *) host name of server cert must resolve to IP address, or be a
> >     recognized alias.  This is more liberal than the previous
> >     iteration.
> 
> Which is the standard/recommended practice?
> 
> >  *) the number of bytes transferred is tracked, and the session
> >     key is periodically renegotiated.
> 
> Define "periodically".
> 
> >  *) basic cert generation scripts (mkcert.sh, pgkeygen.sh).  The
> >     configuration files have reasonable defaults for each type
> >     of use.
> 
> Again, what are these certificate management tools for if we don't have
> any need for certificates?
> 
> About the code:
> 
> * no // comments
> 
> * no fprintf(stderr, ...) in library functions
> 
> * read_SSL/write_SSL -- If you think these functions are misnamed, rename
>   them.
> 
> * Isn't there an automated way to generated error message from error codes
>   in OpenSSL?
> 
> -- 
> Peter Eisentraut   peter_e(at)gmx(dot)net
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
> 
> http://archives.postgresql.org
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to

Responses

pgsql-patches by date

Next:From: Bruce MomjianDate: 2002-06-17 16:31:26
Subject: Re: SSL (combined patches 1-4)
Previous:From: Bruce MomjianDate: 2002-06-16 00:12:36
Subject: Re: SSL (patch 5)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group