Re: SSL/TLS support (Was: Re: 7.3.1 stamped)

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>
Cc: "scott(dot)marlowe" <scott(dot)marlowe(at)ihs(dot)com>, Nathan Mueller <nmueller(at)cs(dot)wisc(dot)edu>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: SSL/TLS support (Was: Re: 7.3.1 stamped)
Date: 2002-12-19 02:34:34
Message-ID: 200212190234.gBJ2YYS02584@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Marc G. Fournier wrote:
> > > My suggestion would be to eventually phase out ssl2 in favor of ssl3 or
> > > tls. And, as we are phasing it out, make it an opt-in thing, where the
> > > dba has to turn on ssl2 KNOWING he is turning on a flawed protocol.
> >
> > That was sort of my point --- if we allow SSLv2 in the server, are we
> > open to any security problems? Maybe not. I just don't know.
>
> My understanding of SSL/TLS is that the DBA himself has to enable it ...
> there has to be a server/client key setup, similar to how it gets done
> with Apache for https connections ... can someone confirm whether this is
> the case?

Uh, I just followed the steps in the PostgresSQL install instructions:

openssl req -new -text -out server.req
openssl rsa -in privkey.pem -out server.key
rm privkey.pem
openssl req -x509 -in server.req -text -key server.key -out server.crt
chmod og-rwx server.key

Isn't that similar to what was required in 7.2.X?

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2002-12-19 02:37:52 Re: 7.3.1 stamped
Previous Message Marc G. Fournier 2002-12-19 02:34:07 Re: 7.3.1 stamped