Re: [Gnumed-devel] Hosting an encrypted pythonic simplehttp GNUmed server

[Jim Busser]

On 2010-08-01, at 12:37 AM, Sebastian Hilbert wrote:

>> about the wxPython GNUmed client connecting across
>> the internet... --> what provides its encryption, or --- if it is
>> unencrypted --- what would be the recommendation?
> 
> SSL
> 
> http://developer.postgresql.org/pgdocs/postgres/ssl-tcp.html

I assume it's not in place for the public database or, at least, I recall no 
interaction accepting or acknowledging a certificate.

Does anyone onlist have experience implementing SSL for postgres?

Have they used self-signed?

Lack of having it signed by a certificate authority makes the connecting users 
unable to verify (through such "trusted" external party) the identity of the 
server however since we are talking only the small set of people who work in 
the praxis, can they (or whoever would set up their machine) simply be 
provided, independently, a blueprint for the certificate? This method would 
still have the downside of lacking revocation ability?

My experience connecting with SSL is mainly via browser so... if a GNUmed 
client were to try to make a connection to Postgres configured to only accept 
SSL connections, does the GNUmed client need to be updated somewhere in its 
configuration (login window checkbox?) to invoke SSL?

Would most or all OS be "alert" to the attempt at such connections, then 
warning the user of any domain name mismatch or any lack of the cert having 
being signed by a root cert within the machine store but allowing the user to 
accept the certificate one-time or to add it to the machine's store (which they 
should only do if the blueprint matches)?

Is this maybe best done in advance of running GNUmed by setting up SSL in a 
terminal / shell with key pairs?

Any thoughts on authenticating users (more than just userid and password)?

-- Jim