| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Martin Pitt <mpitt(at)debian(dot)org>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Date: | 2009-04-11 22:29:28 |
| Message-ID: | 49E119C8.2090404@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
>> In terms of your suggestion about root.crt, I think sslverify != none
>> should error if it can't verify the server's certificate, whether the
>> root.crt file is there or not. If you are asking for sslverify, it
>> should do that or error, not ignore the setting if there is no root.crt
>> file.
>
> Fair enough.
>
>> The only other approach would be to add an sslverify value of
>> 'try' that tries only if root.crt exists.
>
> +1 for adding a "try" setting (though I'm not sure if I like that name
> or not). I don't think that we actually have any choice in the matter.
> By the end of beta, we *will* have such a setting; the only question
> in my mind is whether it will be default or not. That depends on
> exactly how nasty the villagers become ...
The option is there already, it's called "none". That's what people are
asking for - they don't care who they are connecting to, just that the
traffic is encrypted (be it legitimate or hacked traffic, at least it's
encrypted).
It's just a matter of if it's default or not.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-04-11 22:41:10 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Previous Message | Magnus Hagander | 2009-04-11 22:28:05 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |