Re: sslmode=require fallback

On 14.07.2016 23:34, Magnus Hagander wrote:
>
>
> On Thu, Jul 14, 2016 at 11:27 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us
> <mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us>> wrote:
>
> Greg Stark <stark(at)mit(dot)edu <mailto:stark(at)mit(dot)edu>> writes:
> > Well what's required to "configure SSL" anyways? If you don't have
> > verify-ca set or a root canal cert present then the server just needs a
> > certificate -- any certificate. Can the server just cons one up on demand
> > (or server startup or initdb)?
>
> Hmm, good old "snake oil certificate" approach. Yeah, we could probably
> have initdb create a cert all the time. I had memories of this taking
> an undue amount of time, but it seems pretty fast on a modern server.
>
>
> It can still take a very significant amount of time in some virtual
> environments, due to lack of entropy. And virtual environments aren't
> exactly uncommon these days...

What expire time would you chose for the certificate? One year? Two years?
Which tool is going to re-generate your new cert, once this one expires?
You don't want to run initdb again ...

Regards,

--
Andreas 'ads' Scherbaum
German PostgreSQL User Group
European PostgreSQL User Group - Board of Directors
Volunteer Regional Contact, Germany - PostgreSQL Project