From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Lou Picciano <loupicciano(at)comcast(dot)net>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>, Srinivas Aji <srinivas(dot)aji(at)emc(dot)com> |
Subject: | Re: Re: [BUGS] BUG #6189: libpq: sslmode=require verifies server certificate if root.crt is present |
Date: | 2011-09-24 12:33:39 |
Message-ID: | CABUevEx1x92vKdUTgs1zvHSmLSaU=aObGZmqk-jR4xErwr2vHA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs pgsql-hackers |
On Fri, Sep 23, 2011 at 16:44, Alvaro Herrera
<alvherre(at)commandprompt(dot)com> wrote:
>
> Excerpts from Magnus Hagander's message of vie sep 23 11:31:37 -0300 2011:
>>
>> On Fri, Sep 23, 2011 at 15:55, Alvaro Herrera
>> <alvherre(at)commandprompt(dot)com> wrote:
>
>> > This seems strange to me. Why not have a second option to let the user
>> > indicate the desired SSL verification?
>> >
>> > sslmode=disable/allow/prefer/require
>> > sslverify=none/ca-if-present/ca/full
>> >
>> > (ca-if-present being the current "require" sslmode behavior).
>> >
>> > We could then deprecate sslmode=verify and verify-full and have them be
>> > synonyms of sslmode=require and corresponding sslverify.
>>
>> Hmm. I agree that the other suggestion was a bit weird, but I'm not
>> sure I like the multiple-options approach either. That's going to
>> require redesign of all software that deals with it at all today :S
>
> Why? They could continue to use the existing options; or switch to the
> new options if they wanted different behavior, as is the case of the OP.
I guess. I was mostly thinking in the terms of anything that has
connection things that look anything like the one in pgadmin for
example - which will now suddenly need more than one dropdown box, for
what really should be a simple setting. But I guess that can be
considered an UI thing, and jus thave said application map a single
dropdown to multiple options in the connection string.
>> Maybe we should just update the docs and be done with it :-)
>
> That's another option, sure ... :-)
I've applied a docs fix for this now. We can keep discussing how to
make a more extensive fix in head :)
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2011-09-24 16:40:10 | Re: BUG #6220: Flagstaff |
Previous Message | YAMAMOTO Takashi | 2011-09-24 03:36:34 | comment fixes |
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2011-09-24 13:02:16 | Re: unite recovery.conf and postgresql.conf |
Previous Message | Hannu Krosing | 2011-09-24 11:00:35 | Re: Large C files |