On Mon, Nov 17, 2008 at 03:04, Magnus Hagander <[EMAIL PROTECTED]> wrote: > Alex Hunsaker wrote: >> On Sat, Nov 15, 2008 at 17:39, Tom Lane <[EMAIL PROTECTED]> wrote: >>> 2. Root cert file present but we fail to load it: FATAL is probably okay >>> here, but not with that hint message. >> >> Err, I was just trying to be congruent with HEAD. Currently that's >> the message you get if we could not "read" the root cert. (as a LOG, >> not FATAL). Should just drop the hint and keep the FATAL for this >> case? > > Yes, I think so. > > New version of the patch attached.
Looks good to me. >> Also we check that the private key is at least 0600, should we be >> doing the same for the root cert? > > No need. The certificate is public information. The first thing we do on > an SSL connection is to send the thing to the client anyway. > > We *could* check that it's not writable by anybody else - but do we > check that for our datafiles which contain the actual passwords and > such? If not, that would just be strange to do here, really.. Makes sense. > //Magnus -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
