From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
---|---|
To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Martijn van Oosterhout" <kleptog(at)svana(dot)org> |
Cc: | "Florian Weimer" <fw(at)deneb(dot)enyo(dot)de>, <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Upcoming re-releases |
Date: | 2006-02-11 16:51:02 |
Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCEA0F77A@algol.sollentuna.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> I'm not sure whether our current SSL support does a good job of this
> --- I think it only tries to check whether the server
> presents a valid certificate, not which cert it is. Possibly
> Kerberos does more, but I dunno a thing about that...
If you stick a root certificate (root.crt in ~/.postgresql) for it to
validate against, it will be validated against that root. I'm not sure
if it validates the common name of the cert though - that would be an
issue if you're using a global CA. If you're using a local enterprise
CA, that's a much smaller issue (because you yourself have total control
over who gets certificates issued by the CA).
The way our Kerberos implementation is done, it does *not* validate the
server, just the client. If you want server verification, you must use a
combination of both Kerberos and SSL.
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2006-02-11 17:16:10 | Re: Upcoming re-releases |
Previous Message | Tom Lane | 2006-02-11 16:41:01 | Re: Upcoming re-releases |