Re: Need a wee bit more info on PostgreSQL's SSL security options

On Sun, Jun 03, 2007 at 12:21:14AM +0200, Andreas wrote:
> Hi,
>
> I've got it so far:
> Server-OS: Debian 3.1 sarge
> PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version
> available)
>
> Following a tutorial (actually for OpenVPN as I didn't find any for PG
> that goes beyond what is found in the main docu) I created a CA, server
> and client certificate, updated postgresql.conf and pg_hba.conf, did a
> restart of PG and connected from a windows box with pgAdmin.
> NICE :)
>
> Now as far as I see, even though I have my postgresql.crt+key in place,
> I still have to provide username and password, right?

Yes. postgresql can check that the client provides valid certificates,
you cannot however yet authenticate with certificates.

> Can I further check the security of the server? The aim will be to have
> the port open to the Internet.

Try to connect without SSL?

> Is there a documentation, that covers those matters more deeply than
> chapter 16.8 and 20.1 of PG's main documentation?
> Especially the whole client-side topic is rather thin for a newbie.

There's 29.16:
http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html

As for CRL, I think that was only added after 8.1.

Other than that I don't know.

Hope this helps,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.