| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: [PATCH] Remove useless DH param code on client side |
| Date: | 2006-04-12 14:09:12 |
| Message-ID: | 20060412140912.GC22456@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
On Wed, Apr 12, 2006 at 10:00:29AM -0400, Tom Lane wrote:
> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > It's not clear why the code was added in the first place,
>
> I thought it was there to support client-side authentication (ie,
> verifying the server's certificate). We don't support that right
> now but we ought to.
That's there AFAICS, using the functions:
SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL)
SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb)
That has nothing to do with DH params though, which are purely used to
generate a secret key during negotiation. The server sends you the DH
params as part of the negotiation, the client doesn't need any itself.
http://en.wikipedia.org/wiki/Diffie-Hellman
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kris Jurka | 2006-04-12 22:57:25 | pg_dump insert transactions |
| Previous Message | Tom Lane | 2006-04-12 14:00:29 | Re: [PATCH] Remove useless DH param code on client side |