| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Martijn van Oosterhout <kleptog(at)svana(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Will Crawford <billcrawford1970(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org, Daniel Farina <daniel(at)heroku(dot)com> |
| Subject: | Re: Successor of MD5 authentication, let's use SCRAM |
| Date: | 2012-10-22 14:57:33 |
| Message-ID: | 50855EDD.4050705@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 10/22/2012 10:18 AM, Robert Haas wrote:
> On Sun, Oct 21, 2012 at 11:02 AM, Martijn van Oosterhout
> <kleptog(at)svana(dot)org> wrote:
>> It bugs me every time you have to jump through hoops and get red
>> warnings for an unknown CA, whereas no encryption whatsoever is treated
>> as fine while being actually even worse.
> +1. Amen, brother.
>
Not really, IMNSHO. The difference is that an unencrypted session isn't
pretending to be secure. In any case, it doesn't seem too intrusive for
us to warn, at least in psql, with something like:
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Host
Certificate Unverified
If people want to get more paranoid they can always set PGSSLMODE to
verify-ca or verify-full.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2012-10-22 15:21:43 | Re: Successor of MD5 authentication, let's use SCRAM |
| Previous Message | Stephen Frost | 2012-10-22 14:24:41 | Re: Deprecations in authentication |