From: | Andreas <maps(dot)on(at)gmx(dot)net> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Need a wee bit more info on PostgreSQL's SSL security options |
Date: | 2007-06-02 22:21:14 |
Message-ID: | 4661ED5A.2050701@gmx.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi,
I've got it so far:
Server-OS: Debian 3.1 sarge
PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version
available)
Following a tutorial (actually for OpenVPN as I didn't find any for PG
that goes beyond what is found in the main docu) I created a CA, server
and client certificate, updated postgresql.conf and pg_hba.conf, did a
restart of PG and connected from a windows box with pgAdmin.
NICE :)
Now as far as I see, even though I have my postgresql.crt+key in place,
I still have to provide username and password, right?
The server rejects my connection attempt if I move postgresql.crt+key
away. Thats to be expected.
Can I further check the security of the server? The aim will be to have
the port open to the Internet.
How can I check that PG accepts only keys produced by my CA?
What would be the correct "Common Name" of a client?
I read that the client can maintain a file root.crt to check the
identity of the db-server.
Is this the root.crt that sits in PG's data-directory or is it the
server.crt ?
In the documentation there is a certificate-revocation-list-file mentioned.
I suspect this is to revoke a formerly granted key that got lost or is
owned by a person who shouldn't be allowed to access the dbms anymore.
How is this CRL file set up?
Is there a documentation, that covers those matters more deeply than
chapter 16.8 and 20.1 of PG's main documentation?
Especially the whole client-side topic is rather thin for a newbie.
Regards
Andreas
From | Date | Subject | |
---|---|---|---|
Next Message | Madison Kelly | 2007-06-02 22:45:21 | Re: High-availability |
Previous Message | Harpreet Dhaliwal | 2007-06-02 20:51:13 | Re: Transactional DDL |