| From: | pgsql(at)mohawksoft(dot)com |
|---|---|
| To: | "Andrew Dunstan" <andrew(at)dunslane(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: SSL and USER_CERT_FILE round 2 |
| Date: | 2008-05-15 15:34:08 |
| Message-ID: | 37257.24.60.196.157.1210865648.squirrel@mail.mohawksoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
>
>
> pgsql(at)mohawksoft(dot)com wrote:
>> Adding "sslkey" and "sslcert" to the PQconnectdb connection string.
>>
>> After some discussion, I think it is more appropriate to add the
>> key/cert
>> file for SSL into the connect string. For example:
>>
>> PQconnectdb("host=foo dbname=bar sslmode=require
>> sslkey=/opt/myapp/share/keys/client.key
>> sslcert=/opt/myapp/share/keys/client.crt");
>>
>>
>> Any comments?
>>
>>
>
> I think if you're going to provide for these then you should also
> provide for the CA cert and CRL.
>
> Otherwise, it seems sensible.
I thought about that, but the root and crl are for the server, and that
makes sense that the keys would be in the server directory. The server
needs to protect its data against clients wishing to connect. The client
on the other hand, needs to access one or more postgresql servers.
It makes sense that the server keys and credentials be hard coded to its
protected data directory, while the client needs the ability to have
multiple keys.
Think of it this way, a specific lock only takes one key while a person
needs to carry multiple keys on a ring.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2008-05-15 15:47:50 | Re: SSL and USER_CERT_FILE round 2 |
| Previous Message | Marko Kreen | 2008-05-15 15:33:29 | Re: [rfc,patch] PL/Proxy in core |