Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Peter Eisentraut wrote:
> On Friday 10 April 2009 08:39:33 Martin Pitt wrote:
> > Tom Lane [2009-04-10 1:15 -0400]:
> > > Martin Pitt <mpitt(at)debian(dot)org> writesyuqhom#3:
> > > > The test suite detected one regression in libpq, though: Setting
> > > > $PGHOST now complains about a missing root.crt, although this is only
> > > > relevant on the server side (or did I misunderstood this?)
> > >
> > > No, that's a progression: the client wants to validate the server's
> > > cert, too.
> >
> > Indeed it is nice to see this feature (great to prevent spoofing), but
> > if I don't have a ~/.postgresql/root.crt at all, it shouldn't
> > certainly break completely? (which it does now).
>
> I assume the server has the snakeoil certificate installed? In that case, it
> is correct that the client refuses to proceed, although the exact manner of
> breaking could perhaps be improved.

I have developed a patch to more clearly explain the problem with a
missing client root.crt file:

$ PGSSLVERIFY=cn sql -h localhost test
psql: root certificate file "/u/postgres/.postgresql/root.crt" does not exist
Either supply the file or set sslverify to "none" to disable server certificate verification.

$ PGSSLVERIFY=none sql -h localhost test
psql (8.4beta1)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

I had to add a second error message line; I didn't see us doing a
second line anywhere else in libpq, but it seemed to be the only
solution. Should I use three lines?

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +