Re: sslmode=require fallback
| От | Andreas 'ads' Scherbaum |
|---|---|
| Тема | Re: sslmode=require fallback |
| Дата | |
| Msg-id | 5788A39F.5010703@wars-nicht.de обсуждение исходный текст |
| Ответ на | Re: sslmode=require fallback (Magnus Hagander <magnus@hagander.net>) |
| Список | pgsql-hackers |
On 14.07.2016 23:34, Magnus Hagander wrote: > > > On Thu, Jul 14, 2016 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us > <mailto:tgl@sss.pgh.pa.us>> wrote: > > Greg Stark <stark@mit.edu <mailto:stark@mit.edu>> writes: > > Well what's required to "configure SSL" anyways? If you don't have > > verify-ca set or a root canal cert present then the server just needs a > > certificate -- any certificate. Can the server just cons one up on demand > > (or server startup or initdb)? > > Hmm, good old "snake oil certificate" approach. Yeah, we could probably > have initdb create a cert all the time. I had memories of this taking > an undue amount of time, but it seems pretty fast on a modern server. > > > It can still take a very significant amount of time in some virtual > environments, due to lack of entropy. And virtual environments aren't > exactly uncommon these days... What expire time would you chose for the certificate? One year? Two years? Which tool is going to re-generate your new cert, once this one expires? You don't want to run initdb again ... Regards, -- Andreas 'ads' Scherbaum German PostgreSQL User Group European PostgreSQL User Group - Board of Directors Volunteer Regional Contact, Germany - PostgreSQL Project
В списке pgsql-hackers по дате отправления: