[Pkg-postgresql-public] Bug#680162: postgresql-common: Use SSL cert configuration variables instead of symlinks for 9.2
Christoph Berg
myon at debian.org
Wed Jul 4 18:40:45 UTC 2012
Re: Daniel Kahn Gillmor 2012-07-04 <4FF45B2E.4070908 at fifthhorseman.net>
> Will any of the interested parties here be at debconf this coming week?
Not me.
> I hope to have a broader discussion about X.509 certificate and key
> management across debian on the 14th, and would be happy to have
> contributions from interested parties from the postgres community about
> what we can do to make cert management better-integrated for debian admins:
The snakeoil certs should be the symlink target/postgresql.conf values
for now. If the make-ssl-cert infrastructure decides to provide a
better default, we will switch to it, but I don't think we should try
to fix the "SSL handling in Debian problem" in the postgresql
packages. (And frankly, I find SSL with fake certs enabled by default
*way* better than shipping a really insecure default config.)
I'm not sure if PostgreSQL does anything special that the generic SSL
server package doesn't do, but here's a generic idea:
Wouldn't it make sense to provide a canonical location for "this host"
certificates like
/etc/ssl/certs/thishost.crt
/etc/ssl/private/thishost.key
which would initially be symlinks to the current snakeoil certs? That
way, people providing a real "this host" certificate wouldn't need to
change N packages. They would just make these two symlinks point to
the real files, and be done for most applications.
The case of a CA for client certificate validation is probably more
difficult, but maybe that should also have a generic default location.
I guess the default would be not to share that between applications by
default, but I might be wrong. Anyway, a default location that's
commented in the default config and just needs to be uncommented would
probably a nice service for admins.
Christoph
--
cb at df7cb.de | http://www.df7cb.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20120704/e445d9ec/attachment.pgp>
More information about the Pkg-postgresql-public
mailing list