Dan Kaminsky <dan(at)doxpara(dot)com> writes:
> My question has been: When you attempt to create an SSL connection to
> database.backend.com, do you actually validate that:
> 1) The subject name of the certificate you're connecting to is
> database.backend.com, and
> 2) At least the basic checks (expiration, chaining back to a valid root)
> occur?
[ shrug... ] We do whatever OpenSSL's default validation behavior is.
If that's inadequate you probably ought to be taking it up with them,
instead of trying to get downstream projects to fix it one at a time.
regards, tom lane