Обсуждение: SSL (patch 9)
SSL patch that adds support for optional client certificates. If the user has certificates in $HOME/.postgresql/postgresql.crt and $HOME/.postgresql/postgresql.key exist, they are provided to the server. The certificate used to sign this cert must be known to the server, in $DataDir/root.crt. If successful, the cert's "common name" is logged. Client certs are not used for authentication, but they could be via the port->peer (X509 *), port->peer_dn (char *) or port->peer_cn (char *) fields. Or any other function could be used, e.g., many sites like the issuer + serial number hash. Bear
Вложения
Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Bear Giles wrote:
> SSL patch that adds support for optional client certificates.
>
> If the user has certificates in $HOME/.postgresql/postgresql.crt
> and $HOME/.postgresql/postgresql.key exist, they are provided
> to the server. The certificate used to sign this cert must be
> known to the server, in $DataDir/root.crt. If successful, the
> cert's "common name" is logged.
>
> Client certs are not used for authentication, but they could be
> via the port->peer (X509 *), port->peer_dn (char *) or
> port->peer_cn (char *) fields. Or any other function could be
> used, e.g., many sites like the issuer + serial number hash.
>
> Bear
Content-Description: /tmp/patch9
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Patch applied. Thanks. --------------------------------------------------------------------------- Bear Giles wrote: > SSL patch that adds support for optional client certificates. > > If the user has certificates in $HOME/.postgresql/postgresql.crt > and $HOME/.postgresql/postgresql.key exist, they are provided > to the server. The certificate used to sign this cert must be > known to the server, in $DataDir/root.crt. If successful, the > cert's "common name" is logged. > > Client certs are not used for authentication, but they could be > via the port->peer (X509 *), port->peer_dn (char *) or > port->peer_cn (char *) fields. Or any other function could be > used, e.g., many sites like the issuer + serial number hash. > > Bear Content-Description: /tmp/patch9 [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026