Re: src/test/ssl broken on HEAD

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Andres Freund <andres(at)anarazel(dot)de>, Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: src/test/ssl broken on HEAD
Date: 2015-09-16 00:23:40
Message-ID: 55F8B68C.1000703@gmx.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 9/2/15 7:15 PM, Andres Freund wrote:
>> Add a regression test suite for SSL support.
>>
>> It's not run by the global "check" or "installcheck" targets, because the
>> temporary installation it creates accepts TCP connections from any user
>> the same host, which is insecure.
>
> We could just implement SSL over unix sockets. Obviously the
> connection-encryption aspect isn't actually useful, but e.g. client
> certs still make sense. Besides, it allows to avoid concerns like the
> above...

See old discussion here:
http://www.postgresql.org/message-id/49CA2524.5010809@gmx.net

At the time, we didn't have this test suite, obviously, so the utility
would be have been limited, but now it looks quite interesting.

The only trick, as I remember, was that clients tend to prefer SSL
automatically, which we probably don't want for Unix-domain sockets, so
we'd need to tweak those settings a bit.

The "old patch" referred to in that old thread wasn't actually attached,
so here it is, for amusement.

Attachment Content-Type Size
ssl-unix-sockets.patch application/x-patch 1.2 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2015-09-16 00:35:24 Re: Unicode mapping scripts cleanup
Previous Message Tom Lane 2015-09-15 23:47:31 Re: pgsql: RLS refactoring