| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Dan Kaminsky <dan(at)doxpara(dot)com>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Date: | 2008-08-15 15:27:29 |
| Message-ID: | 200808151527.m7FFRUu22265@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Tom Lane wrote:
> Dan Kaminsky <dan(at)doxpara(dot)com> writes:
> > Lets talk about the verify_cb callback first: Suppose there's a
> > man-in-the-middle between the PG client and the PG server. Is some
> > secondary force going to apply some Trusted CA list?
>
> I'm not sure why we have verify_cb at all -- so far as I can see,
> it just specifies the same behavior as OpenSSL's default. Are
> you saying that OpenSSL's default verification behavior is broken?
verify_cb() is just a throwaway true parameter for the function, I
assume.
> > Second, are you saying verify_peer doesn't do anything for
> > authentication? Are you sure about that? There's really little reason
> > otherwise for the call to exist.
>
> Er, we don't *have* a verify_peer callback.
Uh, the user reported running Postgres 7.3 and we have improved SSL
quite a bit since then so perhaps an upgrade and reading the current
docs would help the user.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim Dornfeld | 2008-08-16 20:23:02 | BUG #4361: ODBC Driver 08030200 Hangs Excel |
| Previous Message | Peter Eisentraut | 2008-08-15 11:32:14 | Re: BUG #4357: SERIAL pseudotype and related SEQUENCE object |