Re: Spoofing as the postmaster
| От | Bruce Momjian |
|---|---|
| Тема | Re: Spoofing as the postmaster |
| Дата | |
| Msg-id | 200712290323.lBT3NIS28891@momjian.us обсуждение исходный текст |
| Ответ на | Re: Spoofing as the postmaster (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: > > Agreed. Requiring client root certificate checking is heavy-handed. > > There seems to be some confusion here. I didn't think anyone was > proposing that we force every installation to require client root > certificate checking. What was under discussion (I thought) was > providing the ability for a DBA to *choose* to require it. Oh, yea, that would be OK. I am a little worried that the extra configuration required to turn this on/off might be added complexity for little gain. It might be simpler to allow the administrator to control whether non-checking clients are logged, rather than refusing the connection. I think this makes it clearer the root client check is to make sure all your clients are doing it right, rather than an actual security enhancement (if that makes sense). > > Of course I am not sure anyone knows how to get that information from > > SSL. > > Yeah, if OpenSSL doesn't support testing for this then the discussion > is moot... Yea. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
В списке pgsql-hackers по дате отправления: