Another uberpatch for the SSL code.
The main improvements over the last revision include:
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
Remaining issues are:
*) select() in legacy code?
*) encrypted private keys
*) session support (useful if auto-reconnection will be supported)
*) anonymous DH
*) fully implemented cert tools
Description: application/tar-gzip (3.9 KB)
pgsql-patches by date
|Next:||From: Peter Eisentraut||Date: 2002-05-22 00:25:50|
|Subject: Re: 2nd revision of SSL patches|
|Previous:||From: Bear Giles||Date: 2002-05-20 20:03:54|
|Subject: First cut at SSL documentation|