Обсуждение: First cut at SSL documentation
Attached is the first cut at some SSL documetation for the PostgreSQL manual. It's in plain text, not DocBook, to make editing easy for the first few revisions. The documentation leads the code by a day or so. Also, I'm still having problems with the patches list - none of my recent submissions have gotten through, and I haven't even gotten the confirmation note from when I tried to resubscribe to that list. That's why the main SSL patches haven't appeared yet. Bear
Вложения
Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Bear Giles wrote:
> Attached is the first cut at some SSL documetation for the
> PostgreSQL manual. It's in plain text, not DocBook, to make
> editing easy for the first few revisions. The documentation
> leads the code by a day or so.
>
> Also, I'm still having problems with the patches list - none
> of my recent submissions have gotten through, and I haven't
> even gotten the confirmation note from when I tried to resubscribe
> to that list. That's why the main SSL patches haven't appeared yet.
>
> Bear
Content-Description: /tmp/ssldoc
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Sorry, there is a newer version. I will use that one. --------------------------------------------------------------------------- Bear Giles wrote: > Attached is the first cut at some SSL documetation for the > PostgreSQL manual. It's in plain text, not DocBook, to make > editing easy for the first few revisions. The documentation > leads the code by a day or so. > > Also, I'm still having problems with the patches list - none > of my recent submissions have gotten through, and I haven't > even gotten the confirmation note from when I tried to resubscribe > to that list. That's why the main SSL patches haven't appeared yet. > > Bear Content-Description: /tmp/ssldoc [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
> Sorry, there is a newer version. I will use that one. You may want to hold off on that - I've been busy lately and haven't had a chance to revisit the documentation or change some of the literal constants to numeric constants, but it's been on my "to do" list. The latter didn't affect the other patches since I planned on doing a latter-day patch anyway, but the documentation may need some big changes to emphasize that the rule that it's "use SSH tunnels if you just want to prevent eavesdropping, use SSL directly if you need to firmly establish the identity of the server or clients." (And sorry about responding via the lists, but your mail server doesn't like to talk to cable modem users.) Bear
Bear Giles wrote: > > Sorry, there is a newer version. I will use that one. > > You may want to hold off on that - I've been busy lately and haven't had > a chance to revisit the documentation or change some of the literal constants > to numeric constants, but it's been on my "to do" list. OK, thanks. I will hold off on the docs part. Sorry it has taken me so long to get to these SSL patches (my vacation). I am doing them now. > The latter didn't affect the other patches since I planned on doing a > latter-day patch anyway, but the documentation may need some big changes > to emphasize that the rule that it's "use SSH tunnels if you just want > to prevent eavesdropping, use SSL directly if you need to firmly establish > the identity of the server or clients." > > (And sorry about responding via the lists, but your mail server doesn't > like to talk to cable modem users.) Sorry about the block. RBL+ has been much more effective lately, and it is because they are blocking more dialup users. This the first false positive I have gotten from them. You can use momjian@postgresql.org or route your email through west.navpoint.com. I will see if I can pass your IP through. I can do it in my blacklist, but I am not sure that works for RBL+. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
* Bruce Momjian <pgman@candle.pha.pa.us> [020613 21:49]: > Bear Giles wrote: > > > Sorry, there is a newer version. I will use that one. > > > > You may want to hold off on that - I've been busy lately and haven't had > > a chance to revisit the documentation or change some of the literal constants > > to numeric constants, but it's been on my "to do" list. > > OK, thanks. I will hold off on the docs part. > > Sorry it has taken me so long to get to these SSL patches (my vacation). > I am doing them now. > > > The latter didn't affect the other patches since I planned on doing a > > latter-day patch anyway, but the documentation may need some big changes > > to emphasize that the rule that it's "use SSH tunnels if you just want > > to prevent eavesdropping, use SSL directly if you need to firmly establish > > the identity of the server or clients." > > > > (And sorry about responding via the lists, but your mail server doesn't > > like to talk to cable modem users.) > > Sorry about the block. RBL+ has been much more effective lately, and it > is because they are blocking more dialup users. This the first false > positive I have gotten from them. You can use momjian@postgresql.org or > route your email through west.navpoint.com. I will see if I can pass > your IP through. I can do it in my blacklist, but I am not sure that > works for RBL+. If you are using sendmail, the access file overrides the RBL, if you set delay checks in the MC file. I can help if you are using sendmail. LER > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org > -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
Larry Rosenman wrote: > > Sorry about the block. RBL+ has been much more effective lately, and it > > is because they are blocking more dialup users. This the first false > > positive I have gotten from them. You can use momjian@postgresql.org or > > route your email through west.navpoint.com. I will see if I can pass > > your IP through. I can do it in my blacklist, but I am not sure that > > works for RBL+. > If you are using sendmail, the access file overrides the RBL, if you > set delay checks in the MC file. > > I can help if you are using sendmail. Yes, using sendmail. That is helpful info. I don't have delay checks enabled right now, but can easily do that. Thanks. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Larry Rosenman wrote: > > Sorry about the block. RBL+ has been much more effective lately, and it > > is because they are blocking more dialup users. This the first false > > positive I have gotten from them. You can use momjian@postgresql.org or > > route your email through west.navpoint.com. I will see if I can pass > > your IP through. I can do it in my blacklist, but I am not sure that > > works for RBL+. > If you are using sendmail, the access file overrides the RBL, if you > set delay checks in the MC file. > > I can help if you are using sendmail. OK, Bear, configured for 192.168.1.3. Would you shoot me a personal email as a test? Send failure message to momjian@postgresql.org. Thanks. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Bear, there is some IPv6 stuff in fe-secure.c. Is this intended? We don't support IPv6 in the backend yet, do we. We are having portability problems with that 'case' statement and I am considering removing it. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026