| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Cc: | Martin Pitt <mpitt(at)debian(dot)org> |
| Subject: | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Date: | 2009-04-11 09:50:39 |
| Message-ID: | 49E067EF.7000508@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Martin Pitt wrote:
> Peter Eisentraut [2009-04-10 14:56 +0300]:
>> I assume the server has the snakeoil certificate installed? In that case, it
>> is correct that the client refuses to proceed, although the exact manner of
>> breaking could perhaps be improved.
>
> Is it really refusing self-signed certificates? That would be strange.
It treats self-signed certificates the same way it treats anything else.
In the case of a self-signed one, the certificate and the CA certificate
are the same. Thus, you have to copy the server certificate to the client.
(This is, of course, not a security issue in itself, because you don't
copy the *key* over. Just as a FYI to those who thought it would be :-P)
> I had thought it checks whether the user has the server signing
> certificate of the server installed on his client home directory
> (which, BTW, seems like a strange place to default to, and thus keep
> it).
That has just been brought up from previous versions. Perhaps we need to
have a system wide root store as well - then you could point that to
whatever snakeoil store you have, and it would find the cert correctly?
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | mattiermold | 2009-04-11 11:17:04 | BUG #4756: Installationproblems |
| Previous Message | John R Pierce | 2009-04-11 03:53:02 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |