From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
---|---|
To: | Andres Freund <andres(at)anarazel(dot)de>, Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: src/test/ssl broken on HEAD |
Date: | 2015-09-16 00:23:40 |
Message-ID: | 55F8B68C.1000703@gmx.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 9/2/15 7:15 PM, Andres Freund wrote:
>> Add a regression test suite for SSL support.
>>
>> It's not run by the global "check" or "installcheck" targets, because the
>> temporary installation it creates accepts TCP connections from any user
>> the same host, which is insecure.
>
> We could just implement SSL over unix sockets. Obviously the
> connection-encryption aspect isn't actually useful, but e.g. client
> certs still make sense. Besides, it allows to avoid concerns like the
> above...
See old discussion here:
http://www.postgresql.org/message-id/49CA2524.5010809@gmx.net
At the time, we didn't have this test suite, obviously, so the utility
would be have been limited, but now it looks quite interesting.
The only trick, as I remember, was that clients tend to prefer SSL
automatically, which we probably don't want for Unix-domain sockets, so
we'd need to tweak those settings a bit.
The "old patch" referred to in that old thread wasn't actually attached,
so here it is, for amusement.
Attachment | Content-Type | Size |
---|---|---|
ssl-unix-sockets.patch | application/x-patch | 1.2 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2015-09-16 00:35:24 | Re: Unicode mapping scripts cleanup |
Previous Message | Tom Lane | 2015-09-15 23:47:31 | Re: pgsql: RLS refactoring |