From: | Andreas 'ads' Scherbaum <adsmail(at)wars-nicht(dot)de> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Greg Stark <stark(at)mit(dot)edu>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Jakob Egger <jakob(at)eggerapps(dot)at>, Robert Haas <robertmhaas(at)gmail(dot)com> |
Subject: | Re: sslmode=require fallback |
Date: | 2016-07-15 08:49:35 |
Message-ID: | 5788A39F.5010703@wars-nicht.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 14.07.2016 23:34, Magnus Hagander wrote:
>
>
> On Thu, Jul 14, 2016 at 11:27 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us
> <mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us>> wrote:
>
> Greg Stark <stark(at)mit(dot)edu <mailto:stark(at)mit(dot)edu>> writes:
> > Well what's required to "configure SSL" anyways? If you don't have
> > verify-ca set or a root canal cert present then the server just needs a
> > certificate -- any certificate. Can the server just cons one up on demand
> > (or server startup or initdb)?
>
> Hmm, good old "snake oil certificate" approach. Yeah, we could probably
> have initdb create a cert all the time. I had memories of this taking
> an undue amount of time, but it seems pretty fast on a modern server.
>
>
> It can still take a very significant amount of time in some virtual
> environments, due to lack of entropy. And virtual environments aren't
> exactly uncommon these days...
What expire time would you chose for the certificate? One year? Two years?
Which tool is going to re-generate your new cert, once this one expires?
You don't want to run initdb again ...
Regards,
--
Andreas 'ads' Scherbaum
German PostgreSQL User Group
European PostgreSQL User Group - Board of Directors
Volunteer Regional Contact, Germany - PostgreSQL Project
From | Date | Subject | |
---|---|---|---|
Next Message | Dmitriy Sarafannikov | 2016-07-15 09:24:21 | Re: [HACKERS] [PERFORM] 9.4 -> 9.5 regression with queries through pgbouncer on RHEL 6 |
Previous Message | Craig Ringer | 2016-07-15 08:28:15 | Re: One process per session lack of sharing |