Skip site navigation (1) Skip section navigation (2)

Re: Successor of MD5 authentication, let's use SCRAM

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Darren Duncan <darren(at)darrenduncan(dot)net>
Cc: John R Pierce <pierce(at)hogranch(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Successor of MD5 authentication, let's use SCRAM
Date: 2012-10-13 14:00:34
Message-ID: (view raw or whole thread)
Lists: pgsql-hackers
On 10/13/2012 01:55 AM, Darren Duncan wrote:
> John R Pierce wrote:
>> On 10/12/12 9:00 PM, Darren Duncan wrote:
>>> And now we're migrating to Red Hat for the production launch, using 
>>> the packages for 
>>> Postgres 9.1, and these do *not* include the SSL. 
>> hmm?  I'm using the 9.1 for CentOS 6(RHEL 6) and certainly 
>> has, etc as references.  ditto the postmaster/postgres 
>> main program has too.   maybe your certificate chains 
>> don't come pre-built, I dunno, I haven't dealt with that end of things.
> Okay, I'll have to look into that.  All I know is out of the box SSL 
> just worked on Debian and it didn't on Red Hat; trying to enable SSL 
> on out of the box Postgres on Red Hat gave a fatal error on server 
> start, at the very least needing the installation of SSL keys/certs, 
> which I didn't have to do on Debian. -- Darren Duncan
Of course RedHat RPMs are build with SSL.

Does Debian they create a self-signed certificate? If so, count me as 
unimpressed. I'd argue that's worse than doing nothing. Here's what the 
docs say (rightly) about such certificates:

    A self-signed certificate can be used for testing, but a certificate
    signed by a certificate authority (CA) (either one of the global CAs
    or a local one) should be used in production so that clients can
    verify the server's identity. If all the clients are local to the
    organization, using a local CA is recommended.

Creation of properly signed certificates is entirely outside the scope 
of Postgres, and I would not expect packagers to do it. I have created a 
local CA for RedHat and friends any number of times, and created signed 
certs for Postgres, both server and client, using them. It's not 
terribly hard.



In response to


pgsql-hackers by date

Next:From: Satoshi NagayasuDate: 2012-10-13 14:05:00
Subject: pg_stat_lwlocks view - lwlocks statistics, round 2
Previous:From: Noah MischDate: 2012-10-13 11:03:49
Subject: Re: Adding comments for system table/column names

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group