Re: [DOCS] Default names for CRL and CA files in the backend
| От | Daniel Gustafsson |
|---|---|
| Тема | Re: [DOCS] Default names for CRL and CA files in the backend |
| Дата | |
| Msg-id | 64542B9E-BF78-43BF-A884-3D183FB978D3@yesql.se обсуждение исходный текст |
| Ответ на | Re: [DOCS] Default names for CRL and CA files in the backend (Michael Paquier <michael.paquier@gmail.com>) |
| Ответы |
Re: [DOCS] Default names for CRL and CA files in the backend
(Michael Paquier <michael.paquier@gmail.com>)
Re: [DOCS] Default names for CRL and CA files in the backend (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>) |
| Список | pgsql-docs |
> On 17 Aug 2017, at 03:26, Michael Paquier <michael.paquier@gmail.com> wrote: > > On Thu, Aug 17, 2017 at 7:31 AM, Daniel Gustafsson <daniel@yesql.se> wrote: >> Commit a445cb92ef5b3a31313ebce30e18cc1d6e0bdecb removed the default names for >> serverside CRL and CA files, but the defaults were left in the "SSL Server File >> Usage” table with a small note. I completely missed the note, even after >> having been fiddling about with the code in question. Removing the filenames >> from the table, and altering the note per the attached patch, makes the docs >> clearer IHMO. > > Here are additional notes on the matter. Thanks, I should learn to not hit send before having coffee. > From libpq.sgml: > <para> > In some cases, the client certificate might be signed by an > <quote>intermediate</> certificate authority, rather than one that is > directly trusted by the server. To use such a certificate, append the > certificate of the signing authority to the <filename>postgresql.crt</> > file, then its parent authority's certificate, and so on up to a certificate > authority, <quote>root</> or <quote>intermediate</>, that is trusted by > the server, i.e. signed by a certificate in the server's > <filename>root.crt</filename> file. > </para> > > Am I reading that correctly? The last sentence should not mention > root.crt as well. Agreed. > The paragraph after that assume that ssl_ca_file is > set to root.crt so it looks fine to use it. But that's not assumed > here. Right, it should perhaps be made clearer that root.crt is a proposed filename in this example which could’ve been chosen as something else, but I can’t see a good way off the cuff. Did a tiny amount of wordsmithing here though to indicate that it’s not a file the user should expect to have already. > In sslinfo.sgml: > <para> > This function is really useful only if you have more than one trusted CA > certificate in your server's <filename>root.crt</> file, or if this CA > has issued some intermediate certificate authority certificates. > </para> > > In runtime.sgml: > <para> > Note that the server's <filename>root.crt</filename> lists the top-level > CAs that are considered trusted for signing client certificates. > In principle it need > not list the CA that signed the server's certificate, though in most cases > that CA would also be trusted for client certificates. > </para> > Perhaps this should be changed as well. Agreed. > In config.sgml: > <para> > In previous releases of PostgreSQL, the name of this file was > hard-coded as <filename>root.crt</filename>. > </para> > [...] > <para> > In previous releases of PostgreSQL, the name of this file was > hard-coded as <filename>root.crt</filename>. > </para> > Why not mentioning the version of Postgres where the change has begun? > I find confusing not to precise such level of details. Since all supported versions have this as a parameter, this seems to mainly serve as a help for anyone upgrading from 9.1 (or earlier) so mentioning when the change happened makes sense. I added a note here (and on root.crl) stating the version. cheers ./daniel
Вложения
В списке pgsql-docs по дате отправления:
Предыдущее
От: Michael PaquierДата:
Сообщение: Re: [DOCS] CREATE SEQUENCE minvalue for descending sequence