Tom Lane wrote:
> Bruce Momjian <[EMAIL PROTECTED]> writes:
> > Agreed.  Requiring client root certificate checking is heavy-handed.
> 
> There seems to be some confusion here.  I didn't think anyone was
> proposing that we force every installation to require client root
> certificate checking.  What was under discussion (I thought) was
> providing the ability for a DBA to *choose* to require it.

Oh, yea, that would be OK.  I am a little worried that the extra
configuration required to turn this on/off might be added complexity for
little gain.

It might be simpler to allow the administrator to control whether
non-checking clients are logged, rather than refusing the connection.  I
think this makes it clearer the root client check is to make sure all
your clients are doing it right, rather than an actual security
enhancement (if that makes sense).

> > Of course I am not sure anyone knows how to get that information from
> > SSL.
> 
> Yeah, if OpenSSL doesn't support testing for this then the discussion
> is moot...

Yea.

-- 
  Bruce Momjian  <[EMAIL PROTECTED]>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster

Reply via email to