Skip site navigation (1) Skip section navigation (2)

Re: Successor of MD5 authentication, let's use SCRAM

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Darren Duncan <darren(at)darrenduncan(dot)net>
Cc: John R Pierce <pierce(at)hogranch(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Successor of MD5 authentication, let's use SCRAM
Date: 2012-10-13 14:00:34
Message-ID: 50797402.5000104@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers
On 10/13/2012 01:55 AM, Darren Duncan wrote:
> John R Pierce wrote:
>> On 10/12/12 9:00 PM, Darren Duncan wrote:
>>> And now we're migrating to Red Hat for the production launch, using 
>>> the http://www.postgresql.org/download/linux/redhat/ packages for 
>>> Postgres 9.1, and these do *not* include the SSL. 
>>
>> hmm?  I'm using the 9.1 for CentOS 6(RHEL 6) and libpq.so certainly 
>> has libssl3.so, etc as references.  ditto the postmaster/postgres 
>> main program has libssl3.so too.   maybe your certificate chains 
>> don't come pre-built, I dunno, I haven't dealt with that end of things.
>
> Okay, I'll have to look into that.  All I know is out of the box SSL 
> just worked on Debian and it didn't on Red Hat; trying to enable SSL 
> on out of the box Postgres on Red Hat gave a fatal error on server 
> start, at the very least needing the installation of SSL keys/certs, 
> which I didn't have to do on Debian. -- Darren Duncan
.
Of course RedHat RPMs are build with SSL.

Does Debian they create a self-signed certificate? If so, count me as 
unimpressed. I'd argue that's worse than doing nothing. Here's what the 
docs say (rightly) about such certificates:

    A self-signed certificate can be used for testing, but a certificate
    signed by a certificate authority (CA) (either one of the global CAs
    or a local one) should be used in production so that clients can
    verify the server's identity. If all the clients are local to the
    organization, using a local CA is recommended.

Creation of properly signed certificates is entirely outside the scope 
of Postgres, and I would not expect packagers to do it. I have created a 
local CA for RedHat and friends any number of times, and created signed 
certs for Postgres, both server and client, using them. It's not 
terribly hard.

cheers

andrew




In response to

Responses

pgsql-hackers by date

Next:From: Satoshi NagayasuDate: 2012-10-13 14:05:00
Subject: pg_stat_lwlocks view - lwlocks statistics, round 2
Previous:From: Noah MischDate: 2012-10-13 11:03:49
Subject: Re: Adding comments for system table/column names

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group