On 10/13/2012 01:55 AM, Darren Duncan wrote:
John R Pierce wrote:
On 10/12/12 9:00 PM, Darren Duncan wrote:
And now we're migrating to Red Hat for the production launch, using
the http://www.postgresql.org/download/linux/redhat/ packages for
Postgres 9.1, and these do *not* include the SSL.
hmm? I'm using the 9.1 for CentOS 6(RHEL 6) and libpq.so certainly
has libssl3.so, etc as references. ditto the postmaster/postgres
main program has libssl3.so too. maybe your certificate chains
don't come pre-built, I dunno, I haven't dealt with that end of things.
Okay, I'll have to look into that. All I know is out of the box SSL
just worked on Debian and it didn't on Red Hat; trying to enable SSL
on out of the box Postgres on Red Hat gave a fatal error on server
start, at the very least needing the installation of SSL keys/certs,
which I didn't have to do on Debian. -- Darren Duncan
.
Of course RedHat RPMs are build with SSL.
Does Debian they create a self-signed certificate? If so, count me as
unimpressed. I'd argue that's worse than doing nothing. Here's what the
docs say (rightly) about such certificates:
A self-signed certificate can be used for testing, but a certificate
signed by a certificate authority (CA) (either one of the global CAs
or a local one) should be used in production so that clients can
verify the server's identity. If all the clients are local to the
organization, using a local CA is recommended.
Creation of properly signed certificates is entirely outside the scope
of Postgres, and I would not expect packagers to do it. I have created a
local CA for RedHat and friends any number of times, and created signed
certs for Postgres, both server and client, using them. It's not
terribly hard.
cheers
andrew
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers