| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Date: | 2009-04-14 13:18:34 |
| Message-ID: | 20090414131834.GK8123@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
* Martin Pitt (mpitt(at)debian(dot)org) wrote:
> Magnus Hagander [2009-04-11 11:50 +0200]:
> > That has just been brought up from previous versions. Perhaps we need to
> > have a system wide root store as well - then you could point that to
> > whatever snakeoil store you have, and it would find the cert correctly?
>
> We couldn't set this up by default, of course, since each installed
> machine will have a different snakeoil cert (it gets generated during
> installation).
It's worse than that.. Obviously, you can have the client installed on
systems which aren't where the server is (we do this alot..) and there's
no way for a packaging system to pull the cert from the server.
> But at least the servers I know often use something
> like /etc/ssl/certs/<myservername>.crt and point their services (like
> apache, postfix, etc.) to this. However, right now the client side
> psql does not have any system wide configuration files, so adding
> something like this will need some careful design.
If we're going to do something along those lines, we should start by
supporting a CA cert directory or similar. We could then recommend
ca-certificates and default config the client to use those. Of course,
anyone who actually cares about security probably wouldn't install
ca-certificates, but it's what the browsers use.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Martin Pitt | 2009-04-14 14:00:15 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Previous Message | Stephen Frost | 2009-04-14 13:09:48 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |