|
1 | | -<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.1 2009/05/02 20:17:19 tgl Exp $ --> |
| 1 | +<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.2 2009/05/11 09:00:10 mha Exp $ --> |
2 | 2 | <!-- See header comment in release.sgml about typical markup --> |
3 | 3 |
|
4 | 4 | <sect1 id="release-8-4"> |
|
714 | 714 | </sect4> |
715 | 715 |
|
716 | 716 | <sect4> |
717 | | - <title>Authentication</title> |
| 717 | + <title>Authentication and security</title> |
718 | 718 | <itemizedlist> |
719 | 719 |
|
720 | 720 | <listitem> |
|
738 | 738 | </para> |
739 | 739 | </listitem> |
740 | 740 |
|
| 741 | + <listitem> |
| 742 | + <para> |
| 743 | + Support <acronym>SSL</> certificate chains in server certificate |
| 744 | + file (Andrew Gierth) |
| 745 | + </para> |
| 746 | + |
| 747 | + <para> |
| 748 | + Including the full certificate chain makes the client able |
| 749 | + to verify the certificate without having all intermediate CA |
| 750 | + certificates present in the local store, which is often the case for |
| 751 | + commercial CAs. |
| 752 | + </para> |
| 753 | + </listitem> |
741 | 754 | </itemizedlist> |
742 | 755 |
|
743 | 756 | </sect4> |
|
2616 | 2629 | </para> |
2617 | 2630 | </listitem> |
2618 | 2631 |
|
| 2632 | + <listitem> |
| 2633 | + <para> |
| 2634 | + Make Kerberos use the same method to determine the username of the |
| 2635 | + client as all other authentication methods (Magnus) |
| 2636 | + </para> |
| 2637 | + |
| 2638 | + <para> |
| 2639 | + Previously a special Kerberos-only API was used. |
| 2640 | + </para> |
| 2641 | + </listitem> |
2619 | 2642 | </itemizedlist> |
2620 | 2643 |
|
2621 | 2644 | </sect4> |
|
2637 | 2660 | connections. If a root certificate is not available to use for |
2638 | 2661 | verification, <acronym>SSL</> connections will fail. The |
2639 | 2662 | <literal>sslmode</> parameter is used to enable the certificate |
2640 | | - verification. |
| 2663 | + verification and set the level. |
| 2664 | + </para> |
| 2665 | + |
| 2666 | + <para> |
| 2667 | + The default is still not to do any verification, allowing connections |
| 2668 | + to SSL enabled servers without requiring a root certificate on the |
| 2669 | + client. |
| 2670 | + </para> |
| 2671 | + </listitem> |
| 2672 | + |
| 2673 | + <listitem> |
| 2674 | + <para> |
| 2675 | + Support wildcard server certificates (Magnus) |
2641 | 2676 | </para> |
2642 | 2677 |
|
2643 | 2678 | <para> |
2644 | | - The default is still not to do any verification. |
| 2679 | + If a certificate <acronym>CN</> starts with <literal>*</>, it will |
| 2680 | + be treated as a wildcard when matching the hostname, allowing the |
| 2681 | + use of the same certificate for multiple servers. |
2645 | 2682 | </para> |
2646 | 2683 | </listitem> |
2647 | 2684 |
|
|