Re: Successor of MD5 authentication, let's use SCRAM

On 10/13/2012 01:55 AM, Darren Duncan wrote:
> John R Pierce wrote:
>> On 10/12/12 9:00 PM, Darren Duncan wrote:
>>> And now we're migrating to Red Hat for the production launch, using
>>> the http://www.postgresql.org/download/linux/redhat/ packages for
>>> Postgres 9.1, and these do *not* include the SSL.
>>
>> hmm? I'm using the 9.1 for CentOS 6(RHEL 6) and libpq.so certainly
>> has libssl3.so, etc as references. ditto the postmaster/postgres
>> main program has libssl3.so too. maybe your certificate chains
>> don't come pre-built, I dunno, I haven't dealt with that end of things.
>
> Okay, I'll have to look into that. All I know is out of the box SSL
> just worked on Debian and it didn't on Red Hat; trying to enable SSL
> on out of the box Postgres on Red Hat gave a fatal error on server
> start, at the very least needing the installation of SSL keys/certs,
> which I didn't have to do on Debian. -- Darren Duncan
.
Of course RedHat RPMs are build with SSL.

Does Debian they create a self-signed certificate? If so, count me as
unimpressed. I'd argue that's worse than doing nothing. Here's what the
docs say (rightly) about such certificates:

A self-signed certificate can be used for testing, but a certificate
signed by a certificate authority (CA) (either one of the global CAs
or a local one) should be used in production so that clients can
verify the server's identity. If all the clients are local to the
organization, using a local CA is recommended.

Creation of properly signed certificates is entirely outside the scope
of Postgres, and I would not expect packagers to do it. I have created a
local CA for RedHat and friends any number of times, and created signed
certs for Postgres, both server and client, using them. It's not
terribly hard.

cheers

andrew