Skip site navigation (1) Skip section navigation (2)

Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Martin Pitt <mpitt(at)debian(dot)org>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-10 17:56:14
Message-ID: 49DF883E.7060002@hagander.net (view raw or flat)
Thread:
Lists: pgsql-bugs
Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Tom Lane wrote:
>>> In the first place, I have never seen such a prompt, despite the fact
>>> that I use ssh constantly to connect to machines that I know do not have
>>> properly signed certificates.
> 
>> *really*? Here's what I get as an example (after removing the trust):
> 
>> ha(at)mha-laptop:~/.ssh$ ssh cvs.postgresql.org
>> The authenticity of host 'cvs.postgresql.org (217.196.146.206)' can't be
>> established.
>> DSA key fingerprint is 54:27:10:f3:48:0a:f0:b6:c3:14:79:7e:49:c0:75:f3.
>> Are you sure you want to continue connecting (yes/no)? ^C
> 
> This simply tells you that the machine has a new key since last time you
> talked to it.  It doesn't have anything to do with whether the machine's
> cert has been signed by anybody.  It also doesn't prevent you from
> operating without a root.crt file of your own.

SSH doesn't have certificates. The trusted key is as close as you get.
You can compare it to ssl with *only* self-signed-certificate. Where it
prompts you to authenticate the fingerprint of said
self-signed-certificate.

They do it through a prompt. We do it through a file. But as long as you
in pg only deal with self-signed certs, the outcome is pretty much the same.

//Magnus


In response to

pgsql-bugs by date

Next:From: Tom LaneDate: 2009-04-10 18:21:23
Subject: Re: Re: [BUGS] BUG #4027: backslash escaping notdisabled inplpgsql
Previous:From: Tom LaneDate: 2009-04-10 17:38:56
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group