| From: | dong changyu <dcy1_1999(at)yahoo(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | vulnerability/SSL |
| Date: | 2005-06-08 13:09:24 |
| Message-ID: | 20050608130924.40030.qmail@web52509.mail.yahoo.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi,
I¡¯m using postgreSQL with SSL these days. The version
I¡¯m using is 8.0.3. I found that it¡¯s impossible to
use an encrypted key file.
When you use a protected server.key file, you will be
prompted to input your passphrase EVERYTIME IT¡¯S
USED, not only when you start the server but also when
a client makes a connection. So you have to leave the
key file un-protected. I think it¡¯s a serious
vulnerability since the security relies on the secrecy
of the private key. Without encryption, the only thing
we can use to protect the private key is the access
control mechanism provided by the OS.
Any comments on this issue?
cheers,
Changyu
__________________________________
Discover Yahoo!
Have fun online with music videos, cool games, IM and more. Check it out!
http://discover.yahoo.com/online.html
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Együd Csaba | 2005-06-08 13:12:46 | Re: Where to find translation of Postgres error messages? |
| Previous Message | Howard Cole | 2005-06-08 13:04:34 | Re: Backup Compatibility between minor versions. |