Skip site navigation (1) Skip section navigation (2)

Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: pgsql-bugs(at)postgresql(dot)org
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt
Date: 2009-04-14 13:18:34
Message-ID: 20090414131834.GK8123@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-bugs
* Martin Pitt (mpitt(at)debian(dot)org) wrote:
> Magnus Hagander [2009-04-11 11:50 +0200]:
> > That has just been brought up from previous versions. Perhaps we need to
> > have a system wide root store as well - then you could point that to
> > whatever snakeoil store you have, and it would find the cert correctly?
> 
> We couldn't set this up by default, of course, since each installed
> machine will have a different snakeoil cert (it gets generated during
> installation). 

It's worse than that..  Obviously, you can have the client installed on
systems which aren't where the server is (we do this alot..) and there's
no way for a packaging system to pull the cert from the server.

> But at least the servers I know often use something
> like /etc/ssl/certs/<myservername>.crt and point their services (like
> apache, postfix, etc.) to this. However, right now the client side
> psql does not have any system wide configuration files, so adding
> something like this will need some careful design.

If we're going to do something along those lines, we should start by
supporting a CA cert directory or similar.  We could then recommend
ca-certificates and default config the client to use those.  Of course,
anyone who actually cares about security probably wouldn't install
ca-certificates, but it's what the browsers use.

	Thanks,

		Stephen

In response to

Responses

pgsql-bugs by date

Next:From: Martin PittDate: 2009-04-14 14:00:15
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt
Previous:From: Stephen FrostDate: 2009-04-14 13:09:48
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group