Andrew Sullivan wrote:
On Sat, Oct 15, 2005 at 06:04:54PM -0700, Chris Travers wrote:
Out of curiosity, what is wrong with requiring client SSL certs to
access the system and only issuing them to the PGPool system (or using a
different CA if you need to issue client certs to the end users)? This
Hmm, I like this, although client SSL certs still didn't work with
JDBC last I checked, so it won't solve all the problems. But you're
right, this would mostly solve the problem I was thinking of,
provided it was described correctly to the (mostly-clueless)
technology rule-producers.
Oops. I guess PgPool doesn't support SSL connections to backend
servers. Too bad :-( This would have been a really nice elegant
solution to this problem. It looks like PgCluster may support SSL, I am
not sure.... The problem is that one needs some way of authenticating
the client not just the user. SSL would work for that.
I can't think of any other way to authenticate the client while still
allowing one to authenticate the user afterwards... And I doubt that it
is possible to use Kerberos to authenticate the daemon as well as the
end user...
Best Wishes,
Chris Travers
Metatron Technology Consulting
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@xxxxxxxxxxxxxxxx
x-mozilla-html:FALSE
version:2.1
end:vcard
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@xxxxxxxxxxxxxx so that your
message can get through to the mailing list cleanly
