Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Martin Pitt <mpitt(at)debian(dot)org>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-11 01:08:56
Message-ID: 4859.1239412136@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Martin Pitt <mpitt(at)debian(dot)org> writes:
> Tom Lane [2009-04-10 19:01 -0400]:
>> How do you deal with that? If the root cert is real, how do you put
>> in self-signed server certs?

> I'm afraid I don't understand. If an admin replaces the default
> snakeoil cert with a real one which he got signed by a CA, then of
> course he would replace the standard system SSL cert (which all the
> servers default to, and which is initially the snakeoil one) with the
> "good" certificate. I don't see a reason why an admin would replace a
> self-signed cert with another self-signed cert?

What I'm wondering about, given your emphasis on system-wide certs,
is how you deal with the fact that some apps (like web browsers)
are going to need a "real" root certificate, but you also want to
have a self-signed certificate that isn't traceable to the real
root. This may just indicate my ignorance of standard SSL operating
procedures ...

regards, tom lane

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Stephen Frost 2009-04-11 01:39:46 Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Previous Message Euler Taveira de Oliveira 2009-04-10 23:53:52 Re: BUG #4755: lost graphical relationship between tables in DbVis w/ new PG release