Skip site navigation (1) Skip section navigation (2)

Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-bugs(at)postgresql(dot)org, Stephen Frost <sfrost(at)snowman(dot)net>, Martin Pitt <mpitt(at)debian(dot)org>
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-10 20:25:25
Message-ID: 393.1239395125@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
[ sorry for double reply, but I missed answering this point ]

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> On Friday 10 April 2009 22:50:02 Tom Lane wrote:
>> If we believe that then we need to also change the server to require
>> a root.crt.

> That would make sense if the server required SSL in the first place.  But the
> default configuration of the server is to take anything.  It would conceivably
> be proper to require a stronger client authentication mechanism than "trust" 
> on hostssl lines.  (This doesn't have to be SSL-based client authentication.)

I guess I was insufficiently precise, because you seem to be responding
to a different point than I intended to make.  What I should have said
was "change the server to require a root.crt in order to successfully
establish an SSL connection".  Not that you have to have such a file
even if you don't care about SSL.  But if we are going to enforce that
SSL implies verification on the client side, then surely it should
also imply that on the server side.

			regards, tom lane

In response to

pgsql-bugs by date

Next:From: Euler Taveira de OliveiraDate: 2009-04-10 20:32:43
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Previous:From: Kevin GrittnerDate: 2009-04-10 20:23:52
Subject: Re: Re: [BUGS] BUG #4027: backslashescapingnotdisabled inplpgsql

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group