Skip site navigation (1) Skip section navigation (2)

Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: pgsql-bugs(at)postgresql(dot)org
Cc: Martin Pitt <mpitt(at)debian(dot)org>
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-10 18:21:54
Message-ID: 200904102121.55976.peter_e@gmx.net (view raw or flat)
Thread:
Lists: pgsql-bugs
On Friday 10 April 2009 17:13:55 Martin Pitt wrote:
> However, we can't afford to break existing installations. If a user
> has 8.4 installed locally, he'll use libpq from 8.4, and suddenly he
> could not connect to a remote SSL 8.3 cluster any more. So the check
> needs at least be turned into a warning for connecting to a pre-8.4
> server.

This is not a question of new client with old server.  The new version of the 
client has a more secure default that will possibly prevent it from connecting 
to *any* server that is not adequately configured.

But it's a default, so the user can change it.

Consider the analogy that a new web browser comes out that verifies server 
certificates (as of course all respectable browsers do nowadays) whereas the 
previous version one didn't.  The right fix there is certainly not to 
downgrade this to a warning when connecting to an older web server.

Not to mention the security implications: A rogue server could simply pretend 
to be of an older version to circumvent the client's security check.

In response to

Responses

pgsql-bugs by date

Next:From: Stephen FrostDate: 2009-04-10 18:27:54
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missingroot.crt
Previous:From: Tom LaneDate: 2009-04-10 18:21:23
Subject: Re: Re: [BUGS] BUG #4027: backslash escaping notdisabled inplpgsql

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group