| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Greg Stark <stark(at)mit(dot)edu> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Jakob Egger <jakob(at)eggerapps(dot)at>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com> |
| Subject: | Re: sslmode=require fallback |
| Date: | 2016-07-14 21:27:52 |
| Message-ID: | 16340.1468531672@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greg Stark <stark(at)mit(dot)edu> writes:
> Well what's required to "configure SSL" anyways? If you don't have
> verify-ca set or a root canal cert present then the server just needs a
> certificate -- any certificate. Can the server just cons one up on demand
> (or server startup or initdb)?
Hmm, good old "snake oil certificate" approach. Yeah, we could probably
have initdb create a cert all the time. I had memories of this taking
an undue amount of time, but it seems pretty fast on a modern server.
Also, we could offer a switch to turn it off if necessary, with the
understanding that non-Unix-socket connections can be expected to fail
if user doesn't install a cert.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2016-07-14 21:34:40 | Re: sslmode=require fallback |
| Previous Message | Greg Stark | 2016-07-14 21:14:27 | Re: sslmode=require fallback |