Bruce Momjian wrote: > Tom Lane wrote: > > 2. Improve our documentation about how to set up mutual authentication > > under SSL (it's a bit scattered now). > > > > 3. Recommend using mutual auth even for local connections, if a server > > containing sensitive data is to be run on a machine that also hosts > > untrusted users. > > > > As somebody noted, it's probably even better policy to not have any > > sensitive data on a machine that hosts untrusted users, and it wouldn't > > hurt for the docs to point that out; but we should have a documented > > solution available if you have to do it. > > I have added the section about preventing server spoofing and updated the SSL > documentation to be more logical and clearer about certificates. > > The major updated sections are: > > http://momjian.us/tmp/pgsql/preventing-server-spoofing.html > http://momjian.us/tmp/pgsql/ssl-tcp.html > http://momjian.us/tmp/pgsql/libpq-ssl.html > > I have to say I didn't understand the certificate stuff before, but I > think it should be clearer now to anyone who reads it.
I have just added two documentation tables outlining SSL file usage for client and server. -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org