Re: Successor of MD5 authentication, let's use SCRAM

On 10/13/2012 01:55 AM, Darren Duncan wrote:
> John R Pierce wrote:
>> On 10/12/12 9:00 PM, Darren Duncan wrote:
>>> And now we're migrating to Red Hat for the production launch, using 
>>> the http://www.postgresql.org/download/linux/redhat/ packages for 
>>> Postgres 9.1, and these do *not* include the SSL. 
>>
>> hmm?  I'm using the 9.1 for CentOS 6(RHEL 6) and libpq.so certainly 
>> has libssl3.so, etc as references.  ditto the postmaster/postgres 
>> main program has libssl3.so too.   maybe your certificate chains 
>> don't come pre-built, I dunno, I haven't dealt with that end of things.
>
> Okay, I'll have to look into that.  All I know is out of the box SSL 
> just worked on Debian and it didn't on Red Hat; trying to enable SSL 
> on out of the box Postgres on Red Hat gave a fatal error on server 
> start, at the very least needing the installation of SSL keys/certs, 
> which I didn't have to do on Debian. -- Darren Duncan
.
Of course RedHat RPMs are build with SSL.

Does Debian they create a self-signed certificate? If so, count me as 
unimpressed. I'd argue that's worse than doing nothing. Here's what the 
docs say (rightly) about such certificates:
   A self-signed certificate can be used for testing, but a certificate   signed by a certificate authority (CA)
(eitherone of the global CAs   or a local one) should be used in production so that clients can   verify the server's
identity.If all the clients are local to the   organization, using a local CA is recommended.
 

Creation of properly signed certificates is entirely outside the scope 
of Postgres, and I would not expect packagers to do it. I have created a 
local CA for RedHat and friends any number of times, and created signed 
certs for Postgres, both server and client, using them. It's not 
terribly hard.

cheers

andrew