* Martin Pitt ([email protected]) wrote: > Magnus Hagander [2009-04-11 11:50 +0200]: > > That has just been brought up from previous versions. Perhaps we need to > > have a system wide root store as well - then you could point that to > > whatever snakeoil store you have, and it would find the cert correctly? > > We couldn't set this up by default, of course, since each installed > machine will have a different snakeoil cert (it gets generated during > installation).
It's worse than that.. Obviously, you can have the client installed on
systems which aren't where the server is (we do this alot..) and there's
no way for a packaging system to pull the cert from the server.
> But at least the servers I know often use something
> like /etc/ssl/certs/<myservername>.crt and point their services (like
> apache, postfix, etc.) to this. However, right now the client side
> psql does not have any system wide configuration files, so adding
> something like this will need some careful design.
If we're going to do something along those lines, we should start by
supporting a CA cert directory or similar. We could then recommend
ca-certificates and default config the client to use those. Of course,
anyone who actually cares about security probably wouldn't install
ca-certificates, but it's what the browsers use.
Thanks,
Stephen
signature.asc
Description: Digital signature
