On 14.07.2016 23:34, Magnus Hagander wrote:

On Thu, Jul 14, 2016 at 11:27 PM, Tom Lane <t...@sss.pgh.pa.us
<mailto:t...@sss.pgh.pa.us>> wrote:

    Greg Stark <st...@mit.edu <mailto:st...@mit.edu>> writes:
    > Well what's required to "configure SSL" anyways? If you don't have
    > verify-ca set or a root canal cert present then the server just needs a
    > certificate -- any certificate. Can the server just cons one up on demand
    > (or server startup or initdb)?

    Hmm, good old "snake oil certificate" approach.  Yeah, we could probably
    have initdb create a cert all the time.  I had memories of this taking
    an undue amount of time, but it seems pretty fast on a modern server.

It can still take a very significant amount of time in some virtual
environments, due to lack of entropy. And virtual environments aren't
exactly uncommon these days...

What expire time would you chose for the certificate? One year? Two years?
Which tool is going to re-generate your new cert, once this one expires? You don't want to run initdb again ...


                                Andreas 'ads' Scherbaum
German PostgreSQL User Group
European PostgreSQL User Group - Board of Directors
Volunteer Regional Contact, Germany - PostgreSQL Project

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to