Magnus Hagander [2009-04-12 0:29 +0200]:
> The option is there already, it's called "none". That's what people are
> asking for - they don't care who they are connecting to, just that the
> traffic is encrypted (be it legitimate or hacked traffic, at least it's
> encrypted).
For the record, I don
Magnus Hagander [2009-04-11 11:50 +0200]:
> It treats self-signed certificates the same way it treats anything else.
> In the case of a self-signed one, the certificate and the CA certificate
> are the same. Thus, you have to copy the server certificate to the client.
Right, that's what I had expe
Magnus Hagander [2009-04-12 0:58 +0200]:
> Which means that every time I connect, I need to first to make sure that
> the file is there, and that the proper user has permissions to read the
> file, *before* I connect.
Arguably the connection should fail if the file is present, but cannot
be read
Hello Bruce,
Bruce Momjian [2009-04-11 8:33 -0400]:
> I noticed you didn't quote the next sentence:
>
> The SSL connection will fail if the server does not present a trusted
> certificate.
Indeed. When I read it first, it seemed unrelatead to me, but now I
understand where this was
* Martin Pitt (mp...@debian.org) wrote:
> For the record, I don't agree. SSL certificate validation is good, and
> should be done as long as you have a cert installed. Encryption
> without authentication is not worth a lot, after all.
I disagree, and you *can* do authentication without SSL! The b
* Martin Pitt (mp...@debian.org) wrote:
> Magnus Hagander [2009-04-11 11:50 +0200]:
> > That has just been brought up from previous versions. Perhaps we need to
> > have a system wide root store as well - then you could point that to
> > whatever snakeoil store you have, and it would find the cert
Stephen Frost [2009-04-14 9:09 -0400]:
> I disagree, and you *can* do authentication without SSL!
I know. But then you do have authentication as well, which was exactly
my point.
Also, I said "not a lot better", not "totally useless".
Martin
--
Martin Pitt| http://www.
Stephen Frost [2009-04-14 9:18 -0400]:
> * Martin Pitt (mp...@debian.org) wrote:
> > We couldn't set this up by default, of course, since each installed
> > machine will have a different snakeoil cert (it gets generated during
> > installation).
>
> It's worse than that.. Obviously, you can hav
On Sunday 12 April 2009 12:52:53 Magnus Hagander wrote:
> This is a different way to do bruces suggestion of a different
> default. That's possibly even clearer. So I can definitely go with
> this, but I think two different parameters makes it more clear and is
> better.
I think altogether c
On Tuesday 14 April 2009 17:05:45 Martin Pitt wrote:
> Of course I assumed that the server and client are on different
> systems. If they are on the same, then we just use the Unix socket and
> don't need all this SSL fuss at all.
That's what you think. Just read the hackers thread about SSL over
Magnus Hagander wrote:
> On 14 apr 2009, at 04.33, Bruce Momjian wrote:
>
> > Magnus Hagander wrote:
> >>> I would actually call the two parameters 'verify-cert' and 'verify-
> >>> cn',
> >>> and document that they also have "require" behavior. Obviously you
> >>> can't verify certificates unle
Applied. Depending on how we handle this the error text might need to
change but odds are we will still need to report something related to
sslmode/sslverify when root.crt is missing.
---
Bruce Momjian wrote:
> Peter Eisent
Bruce Momjian wrote:
> > That's the intention. When you're turning off something, I think it
> > makes sense to use "no"
>
> But that doesn't scale: sslmode currently has four options, soon
> perhaps to be six. The idea is that the items should be of increasing
> security, and adding "no"
Your name : Dwight Wilcox
Your email address : dwight.wil...@navy.mil
System Configuration
- -
Architecture : Intel Pentium
Operating System : Windows XP
PostgreSQL version : postgresql-8.3.7-1-windows.exe
Compiler used : not applicable
Please enter a FULL de
14 matches
Mail list logo
