Re: SSL cleanups/hostname verification
| От | Peter Eisentraut |
|---|---|
| Тема | Re: SSL cleanups/hostname verification |
| Дата | |
| Msg-id | 200810211816.31897.peter_e@gmx.net обсуждение исходный текст |
| Ответ на | Re: SSL cleanups/hostname verification (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On Tuesday 21 October 2008 15:47:35 Tom Lane wrote: > Gregory Stark <stark@enterprisedb.com> writes: > > Sort of. SSH requires you to install the certificate of the server > > locally before connecting. If you don't it pops up a big warning and asks > > if you want to install it. On subsequent connections it looks up the key > > for the name of the host you're trying to connect to and insists it > > match. If it doesn't it pops up a *huge* error and refuses to connect. > > Um, IIRC what it's checking there is the server's key signature, which > has nada to do with certificates. It checks the fingerprint of the server public key. And a certificate is exactly a public key with additional information that explains whose public key that is. So when you install the fingerprint sent by the SSH server in your local known_hosts, then the server public key becomes a certificate. Sort of. But it's related.
В списке pgsql-hackers по дате отправления: