revised SSL patches submitted 
Author Message
 revised SSL patches submitted

Another set of SSL patches have been sent to the patches list.
(No idea when they'll get through the system.)  This is a new
baseline set of patches that fix many of the problems identified
earlier and also add a number of security patches.

N.B., some of these changes are visible to the user, but are
common practice for SSL code.  The most notable is a minimal
certificate validation that requires that certs be current
(no more expired certs) and that the cert's common name match
the hostname used with contacting the backend.

This means that a cert containing a common name such as
'eris.example.com' *must* be accessed via

  psql -h eris.example.com ...

not

  psql -h eris ...

A future patch can relax this so that the common name can
resolve to the address returned by getpeername(2).

Client certs are optional, but if they exist they are expected
in the user's home directory, under the .postgresql directory.
Encrypted private keys are not yet supported.

Bear

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command



Fri, 05 Nov 2004 14:49:17 GMT
 
 [ 1 post ] 

 Relevant Pages 

1. revised SSL patches

2. SSL client cert patch submitted

3. revised patch for PL/PgSQL table functions

4. Revised Patch for JDBC timestamp problems

5. Win32 port patches submitted

6. Preferred method for submitting patch corrections?

7. Windows Build System was: Win32 port patches submitted

8. Win32 port patches submitted

9. SSL Connections [doc PATCH]

10. SSL (patch 4)

11. Refuse SSL patch

12. SSL (patch 1)


 
Powered by phpBB® Forum Software