Quick Links

Re: Possible SSL improvements for a newcomer to tackle

From:	Jeff Janes <jeff(dot)janes(at)gmail(dot)com>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	Zeus Kronion <zkronion(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Possible SSL improvements for a newcomer to tackle
Date:	2017-10-04 18:47:45
Message-ID:	CAMkU=1zKmHv3Ei0AH_EMnDYtHNSBPwnpuXwgsY4h0Q9PGaXZ7A@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On Mon, Oct 2, 2017 at 9:33 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

>
> It's possible that we could adopt some policy like "if the root.crt file
> exists then default to verify" ... but that seems messy and unreliable,
> so I'm not sure it would really add any security.
>

That is what we do. If root.crt exists, we default to verify-ca.

And yes, it is messy and unreliable. I don't know if it adds any security
or not.

Or do you mean we could default to verify-full instead of verify-ca?

Cheers,

Jeff

In response to

Re: Possible SSL improvements for a newcomer to tackle at 2017-10-03 04:33:00 from Tom Lane

Responses

Re: Possible SSL improvements for a newcomer to tackle at 2017-10-04 19:10:37 from Nico Williams

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Peter Geoghegan	2017-10-04 18:50:03	Re: [COMMITTERS] pgsql: Fix freezing of a dead HOT-updated tuple
Previous Message	Nico Williams	2017-10-04 18:24:03	Re: [PATCH] Add ALWAYS DEFERRED option for constraints