* Martijn van Oosterhout (kleptog@svana.org) wrote:
> On Mon, Apr 17, 2006 at 12:24:40PM -0400, Stephen Frost wrote:
> > I certainly agree with all the rest but I'm just not sure I can agree
> > with you here. While s_tunnel is nice it's not always an option and I
> > think it *would* be nice to have Postgres support things like CRLs and
> > OCSP but more from the server-side of things than the client-side.
>
> CRLs are easy, almost a one line change. I was actually surprised it
> wasn't done but I didn't add it because I figured someone had left it
> out for a reason.
I doubt there was a reason it was left out...
> OCSP is something else. And in any case, you don't need a result of
> PQgetssl() to use it since it's a completely seperate part of the
> library.
Right, I mentioned you'd just need the certificate, and that I was
talking about it on the server-side...
> But neither of these are what I considered "sophisticated". I don't
> think either of these require any API changes either.
Right, they don't require API changes (at least, not libpq) and wouldn't
provided the certificate is available. What I was getting at is that
they're more complicated SSL issues that the server *should* be able to
deal with (imv) and would require additional configuration parameters
and more of the SSL libraries than we're currently using.
Mainly I was trying to point out that trying to claim that "we don't do
anything with SSL, it's all up to the application to decide what they
want to do, and we give the application the SSL pointer so we don't have
to worry about it" doesn't really fly- we have an SSL-using application
ourselves which is the postmaster and we really should be able to
properly support it and be at least somewhat knowledgable about how it
works because SSL is a Good Thing for us to have.
Thanks,
Stephen