| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: pgsql: Provide a TLS init hook |
| Date: | 2020-03-25 23:44:55 |
| Message-ID: | 19603.1585179895@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers pgsql-hackers |
I wrote:
> Concretely, I see that contrib/sslinfo has
> SHLIB_LINK += $(filter -lssl -lcrypto -lssleay32 -leay32, $(LIBS))
I verified that that fixes things on macOS and pushed it, along with
a couple other minor fixes.
However, I'm quite desperately unhappy that the new test module
does this:
$node->append_conf('postgresql.conf', "listen_addresses = 'localhost'");
That's opening a security hole. Note that we do *not* run src/test/ssl
by default, and it has a README warning people not to run it on multiuser
systems. It seems 100% unacceptable for this test to fire up a similarly
insecure server without so much as a by-your-leave.
I don't actually see why we need the localhost port at all --- it doesn't
look like this test ever attempts to connect to the server. So couldn't
we just drop that?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2020-03-26 01:11:09 | Re: pgsql: Provide a TLS init hook |
| Previous Message | Tom Lane | 2020-03-25 23:37:39 | pgsql: Fix assorted portability issues in commit 896fcdb23. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2020-03-25 23:50:08 | Re: plan cache overhead on plpgsql expression |
| Previous Message | Andres Freund | 2020-03-25 23:41:43 | Re: plan cache overhead on plpgsql expression |