| From: | Bear Giles <bgiles(at)coyotesong(dot)com> |
|---|---|
| To: | pgsql-patches(at)postgresql(dot)org |
| Subject: | 2nd revision of SSL patches |
| Date: | 2002-05-21 07:36:09 |
| Message-ID: | 200205210736.BAA13044@eris.coyotesong.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Another uberpatch for the SSL code.
The main improvements over the last revision include:
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Remaining issues are:
*) select() in legacy code?
*) encrypted private keys
*) session support (useful if auto-reconnection will be supported)
*) anonymous DH
*) fully implemented cert tools
Bear
| Attachment | Content-Type | Size |
|---|---|---|
| tools.tar.gz | application/tar-gzip | 3.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2002-05-22 00:25:50 | Re: 2nd revision of SSL patches |
| Previous Message | Bear Giles | 2002-05-20 20:03:54 | First cut at SSL documentation |