| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Gregory Stark <stark(at)enterprisedb(dot)com>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net> |
| Subject: | Re: SSL cleanups/hostname verification |
| Date: | 2008-10-21 15:16:30 |
| Message-ID: | 200810211816.31897.peter_e@gmx.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tuesday 21 October 2008 15:47:35 Tom Lane wrote:
> Gregory Stark <stark(at)enterprisedb(dot)com> writes:
> > Sort of. SSH requires you to install the certificate of the server
> > locally before connecting. If you don't it pops up a big warning and asks
> > if you want to install it. On subsequent connections it looks up the key
> > for the name of the host you're trying to connect to and insists it
> > match. If it doesn't it pops up a *huge* error and refuses to connect.
>
> Um, IIRC what it's checking there is the server's key signature, which
> has nada to do with certificates.
It checks the fingerprint of the server public key. And a certificate is
exactly a public key with additional information that explains whose public
key that is. So when you install the fingerprint sent by the SSH server in
your local known_hosts, then the server public key becomes a certificate.
Sort of. But it's related.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hannu Krosing | 2008-10-21 15:18:05 | Re: Withdraw PL/Proxy from commitfest |
| Previous Message | Gianni Ciolli | 2008-10-21 14:57:59 | Bitmap Indexes: request for feedback |