Re: SSL cleanups/hostname verification

Then they may as well not have bothered with generating a key in the  
first place since an attacker can generate one of his own just as  
easily...

Actually that's not entirely true. A non-authenticated connection  
still protects against passive attacks like sniffers. But active  
attacks are known in the wild.

greg

On 21 Oct 2008, at 09:04 AM, Peter Eisentraut <peter_e@gmx.net> wrote:

> Magnus Hagander wrote:
>> Robert Haas wrote:
>>>>> How can you make that the default?  Won't it immediately break  
>>>>> every
>>>>> installation without certificates?
>>>> *all* SSL installations have certificate on the server side. You  
>>>> cannot
>>>> run without it.
>>> s/without certificates/with self-signed certificates/
>>>
>>> which I would guess to be a common configuration
>> Self-signed still work. In a self-signed scenario, the server
>> certificate *is* the CA certificate.
>
> But the user needs to copy the CA to the client, which most people  
> probably don't do nowadays.
>
> -- 
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers