On 10/13/2012 01:55 AM, Darren Duncan wrote:
John R Pierce wrote:
On 10/12/12 9:00 PM, Darren Duncan wrote:
And now we're migrating to Red Hat for the production launch, using the http://www.postgresql.org/download/linux/redhat/ packages for Postgres 9.1, and these do *not* include the SSL.

hmm? I'm using the 9.1 for CentOS 6(RHEL 6) and libpq.so certainly has libssl3.so, etc as references. ditto the postmaster/postgres main program has libssl3.so too. maybe your certificate chains don't come pre-built, I dunno, I haven't dealt with that end of things.

Okay, I'll have to look into that. All I know is out of the box SSL just worked on Debian and it didn't on Red Hat; trying to enable SSL on out of the box Postgres on Red Hat gave a fatal error on server start, at the very least needing the installation of SSL keys/certs, which I didn't have to do on Debian. -- Darren Duncan
.
Of course RedHat RPMs are build with SSL.

Does Debian they create a self-signed certificate? If so, count me as unimpressed. I'd argue that's worse than doing nothing. Here's what the docs say (rightly) about such certificates:

   A self-signed certificate can be used for testing, but a certificate
   signed by a certificate authority (CA) (either one of the global CAs
   or a local one) should be used in production so that clients can
   verify the server's identity. If all the clients are local to the
   organization, using a local CA is recommended.

Creation of properly signed certificates is entirely outside the scope of Postgres, and I would not expect packagers to do it. I have created a local CA for RedHat and friends any number of times, and created signed certs for Postgres, both server and client, using them. It's not terribly hard.

cheers

andrew




--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to