Re: Stephen Frost 2015-03-04 <20150304145551.gu29...@tamriel.snowman.net> > > Just to put the idea out there; PGSQL currently links to OpenSSL for > > TLS, right? TLS has support for SRP [0] [1]. This could be used for > > password based authenticated TLS sessions without client certificates. > > Might be less of a burden on users than deploying PKIX with > > client-certificates while still providing proper security. > > That's an excellent thought.. I wasn't aware of this. Unfortunately, > I'm not sure that we could make it the default in Debian as it requires > server-side certificates be configured and used properly (correct?) but > I don't see a reason to not support it and encourage its use.
We have the autogenerated snakeoil certificates that we use anyway. If these aren't good (why?), we could put more automation in there and generate proper certificates. That's probably more of a distribution-wide topic and not just PostgreSQL, though. Christoph -- c...@df7cb.de | http://www.df7cb.de/
signature.asc
Description: Digital signature
