Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-bugs(at)postgresql(dot)org, Stephen Frost <sfrost(at)snowman(dot)net>, Martin Pitt <mpitt(at)debian(dot)org>
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-10 20:25:25
Message-ID: 393.1239395125@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

[ sorry for double reply, but I missed answering this point ]

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> On Friday 10 April 2009 22:50:02 Tom Lane wrote:
>> If we believe that then we need to also change the server to require
>> a root.crt.

> That would make sense if the server required SSL in the first place. But the
> default configuration of the server is to take anything. It would conceivably
> be proper to require a stronger client authentication mechanism than "trust"
> on hostssl lines. (This doesn't have to be SSL-based client authentication.)

I guess I was insufficiently precise, because you seem to be responding
to a different point than I intended to make. What I should have said
was "change the server to require a root.crt in order to successfully
establish an SSL connection". Not that you have to have such a file
even if you don't care about SSL. But if we are going to enforce that
SSL implies verification on the client side, then surely it should
also imply that on the server side.

regards, tom lane

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Euler Taveira de Oliveira 2009-04-10 20:32:43 Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Previous Message Kevin Grittner 2009-04-10 20:23:52 Re: Re: [BUGS] BUG #4027: backslash escapingnotdisabled inplpgsql