On 08/19/2014 06:52 PM, Stephen Frost wrote:
* Andres Freund (and...@2ndquadrant.com) wrote:
No. We should build something that's suitable for postgres, not
something general. We'll fail otherwise. For anything fancy the user has
to look at the certificate themselves. We should make it easy to get at
the whole certificate chain in a consistent manner.
I don't buy this argument at all.
Telling users they simply can't have this information isn't
acceptable.
Meh. Why? Most of that isn't something a normal libpq user is going to
need.
I'm not interested in SSL support for users who don't use or care about
SSL (which would be 'normal libpq users', really). I've *long* been
frustrated by our poor support of SSL and at how painful it is to get
proper SSL working- and it's been a real problem getting PG to pass the
security compliance requirements because of that poor support. Let's
stop the rhetoric that PG doesn't need anything but the most basic
SSL/auditing/security capabilities.
I think you just packed up the goalposts for a one-way trip to Mars, but
I wonder: What would you consider "proper SSL support"? What exactly are
we missing?
- Heikki
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
