Re: SSL patch
От | Dave Cramer |
---|---|
Тема | Re: SSL patch |
Дата | |
Msg-id | CADK3HHL+g=eewWaCATsbZZ9b+U-=SQwiwWJf-5-WECR5mYm4tw@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: SSL patch (Bodor András <bodri.mh3@gmail.com>) |
Список | pgsql-jdbc |
If you could create the certs that would be good. What do we do about the CA errors ? Dave Cramer dave.cramer(at)credativ(dot)ca http://www.credativ.ca On Thu, Nov 10, 2011 at 11:13 AM, Bodor András <bodri.mh3@gmail.com> wrote: > For the time beeing, you may create new certificates by issuing > > openssl req -x509 -newkey -nodes -days 36500 -nodes -keyout server.key > -out server.crt > > they will be good for 100 years. Or shall I send a new patch? > > For the question of Magosányi Árpád, rigth now pkcs11 is not supported, > but it is not a complicated thing. We can return to it, when this patch works. > Andras > > On Thu, Nov 10, 2011 at 4:55 PM, Dave Cramer <pg@fastcrypt.com> wrote: >> Andras, >> >> I noticed that the server.crt in the patch is only good for 1 month >> and expires in Sept of this year. >> >> Dave Cramer >> >> dave.cramer(at)credativ(dot)ca >> http://www.credativ.ca >> >> >> >> >> On Thu, Nov 10, 2011 at 10:45 AM, Bodor András <bodri.mh3@gmail.com> wrote: >>> Can you send me some error log, and your database setup? >>> >>> On Thu, Nov 10, 2011 at 4:19 PM, Dave Cramer <pg@fastcrypt.com> wrote: >>>> Hi Bodor, >>>> >>>> Understood. >>>> >>>> So now all the tests are failing some due to unknown ca, others to >>>> certificate expired ? >>>> >>>> Dave Cramer >>>> >>>> dave.cramer(at)credativ(dot)ca >>>> http://www.credativ.ca >>>> >>>> >>>> >>>> >>>> On Thu, Nov 10, 2011 at 9:30 AM, Bodor András <bodri.mh3@gmail.com> wrote: >>>>> Dear Dave, >>>>> >>>>> The installation of sslinfo is only necessary for the unit tests, it is >>>>> not used at all in the driver itself. Obviously I wanted to test weather >>>>> we were actually using ssl, but it is not essential. It can be removed, >>>>> or an additional option can be introduced to ssltest.properties. >>>>> The relevant lines are in >>>>> org.postgresql.test.ssl.SslTest.driver(String connstr, Object[] >>>>> expected) >>>>> >>>>> There are a few things still to be done with this patch. >>>>> 1. the jdbc datasource interface was not modified at all, >>>>> so it is unaware of the new options, >>>>> 2. it should be decided, what is the expected behaviour of sslmode=allow >>>>> or prefer (they might be omitted completely), >>>>> 3. I have not tested certificate chains yet, >>>>> 4. when a client certificate is available, the v8 and v9 servers >>>>> behave differently (BUG #5468 is fixed in v9) so different unit test are >>>>> needed to check this, >>>>> 5. there is a list of options somewhere in the code, this should >>>>> be updated as well, >>>>> 6. documentation. >>>>> >>>>> Andras >>>>> >>>>> On Thu, Nov 10, 2011 at 2:56 PM, Dave Cramer <pg@fastcrypt.com> wrote: >>>>>> Andras, >>>>>> >>>>>> I'm looking at your patch attached to this link >>>>>> http://archives.postgresql.org/pgsql-jdbc/2011-08/msg00067.php right >>>>>> now. Thanks by the way! >>>>>> >>>>>> The only thing I'd like to pose to the list is the necessity for >>>>>> sslinfo to be installed in any database. I can envision some >>>>>> production environments which this may not be possible ? >>>>>> >>>>>> Dave Cramer >>>>>> >>>>>> dave.cramer(at)credativ(dot)ca >>>>>> http://www.credativ.ca >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Sep 15, 2011 at 11:41 AM, Bodor Andras <bodri.mh3@gmail.com> wrote: >>>>>>> >>>>>>> Yes, it is also included in the patch >>>>>>> (package org.postgresql.test.ssl). It >>>>>>> tries to connect to a series of databases >>>>>>> with different ssl properties. The connection >>>>>>> strings are given in the ssltest.properties >>>>>>> file in the root of the distribution. Just >>>>>>> comment out the connstrings, that you don't >>>>>>> want to run. Also read the certdir/README >>>>>>> file. (build.xml is modified to run this test.) >>>>>>> Andras >>>>>>> >>>>>>> >>>>>>> Dave Cramer wrote: >>>>>>>> >>>>>>>> Hi Bodor, >>>>>>>> >>>>>>>> So do you have any test cases for this ? >>>>>>>> >>>>>>>> Dave Cramer >>>>>>>> >>>>>>>> dave.cramer(at)credativ(dot)ca >>>>>>>> http://www.credativ.ca >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2011/9/13 Bodor Andras<bodri.mh3@gmail.com>: >>>>>>>>> >>>>>>>>> Hi! >>>>>>>>> >>>>>>>>> Can You make any use of my SSL patch sent in on the 23th of August? >>>>>>>>> Andras >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org) >>>>>>>>> To make changes to your subscription: >>>>>>>>> http://www.postgresql.org/mailpref/pgsql-jdbc >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org) >>>>>>> To make changes to your subscription: >>>>>>> http://www.postgresql.org/mailpref/pgsql-jdbc >>>>>>> >>>>>> >>>>> >>>> >>> >> >
В списке pgsql-jdbc по дате отправления: