From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Greg Stark <stark(at)mit(dot)edu> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Will Crawford <billcrawford1970(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org, Daniel Farina <daniel(at)heroku(dot)com> |
Subject: | Re: Successor of MD5 authentication, let's use SCRAM |
Date: | 2012-10-23 16:27:18 |
Message-ID: | CA+TgmoZQe1uGpR65CZLs8ptXEuAokowZ9yQRvffu7juY5cj6KA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Oct 22, 2012 at 6:54 PM, Greg Stark <stark(at)mit(dot)edu> wrote:
> I think we can provide a much better warning however. I think we want
> something like 'WARNING: Server identity signed by unknown and
> untrusted authority "Snakeoil CA"'
>
> We could go even further:
> INFO: Server identity "ACME Debian Machine" certified by "Snakeoil CA"
> WARNING: Server identity signed by unknown and untrusted authority "Snakeoil CA"
> HINT: Add either the server certificate or the CA certificate to
> "/usr/lib/ssl/certs" after verifying the identity and certificate hash
>
> SSL is notoriously hard to set up, it would go a long way to give the
> sysadmin an immediate pointer to what certificates are being used and
> where to find or install the CA certs. It might be worth mentioning
> the GUC parameter names to control these things too.
Yeah, this seems like a nice idea if we can do it.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2012-10-23 16:29:11 | Re: "pg_ctl promote" exit status |
Previous Message | Robert Haas | 2012-10-23 16:25:05 | Re: ToDo: KNN Search should to support DISTINCT clasuse? |