[Pkg-postgresql-public] Bug#779683: Bug#779683: postgresql: pg_hba scripts (mis)configures for MD5 authentication
Michael Samuel
mik at miknet.net
Thu Mar 5 09:16:38 UTC 2015
Hi,
On 5 March 2015 at 19:58, Christoph Berg <myon at debian.org> wrote:
>> That's an excellent thought.. I wasn't aware of this. Unfortunately,
>> I'm not sure that we could make it the default in Debian as it requires
>> server-side certificates be configured and used properly (correct?) but
>> I don't see a reason to not support it and encourage its use.
TLS-SRP verifies both client and server.
> We have the autogenerated snakeoil certificates that we use anyway.
> If these aren't good (why?), we could put more automation in there and
> generate proper certificates. That's probably more of a
> distribution-wide topic and not just PostgreSQL, though.
The snake-oil certificate could certainly be improved with a more
useful framework for creating and submitting CSRs and monitoring for
renewal/expiry. Certutil(?) from FreeIPA does this.
Regards,
Michael
More information about the Pkg-postgresql-public
mailing list