Skip site navigation (1) Skip section navigation (2)

Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Hiroshi Inoue <inoue(at)tpf(dot)co(dot)jp>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Martin Pitt <mpitt(at)debian(dot)org>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-13 10:25:11
Message-ID: 49E31307.50807@hagander.net (view raw or flat)
Thread:
Lists: pgsql-bugs
Hiroshi Inoue wrote:
> Magnus Hagander wrote:
>> Hiroshi Inoue wrote:
>>> Magnus Hagander wrote:
>>>> Bruce Momjian wrote:
>>>>> Martin Pitt wrote:
>>>>>> I do see the benefit of failing to connect to an SSL-enabled server
>>>>>> *if* I have a root.crt which doesn't match. But why fail if I don't
>>>>>> have one?
>>>>> I have digested this thread, and have done two things:  improved the
>>>>> documentation and posted a patch to make the error message clearer.
>>>>>
>>>>> In terms of your suggestion about root.crt, I think sslverify != none
>>>>> should error if it can't verify the server's certificate, whether the
>>>>> root.crt file is there or not.  If you are asking for sslverify, it
>>>>> should do that or error, not ignore the setting if there is no
>>>>> root.crt
>>>>> file.  The only other approach would be to add an sslverify value of
>>>>> 'try' that tries only if root.crt exists.
>>>> Doesn't "try" make the whole check pretty pointless, and you can just
>>>> set it to "none" then?
>>> Yes the snapshot psqlodbc driver already set sslverify to none and can't
>>> change it though it may be differnet from the expected behavior. It was
>>> not so easy to implement because sslverify parameter is illegal for <=
>>> 8.3 libpq and the psqlodbc driver doesn't rely on environment variables
>>> at all.
>>
>> Whatever the default is, if you can't change the value I'd say that
>> makes the ODBC driver pretty darn broken. It would be equally broken if
>> it was set to the default and it wasn't possible to change it.
> 
> The psqlodbc driver has its own development cycle and doesn't use new
> core features at once usually. The problem is the default behavior about
> sslverify is incompatible with the 8.3 libpq behavior and the driver had
> to do something with it before 8.4 release. What the snapshot driver
> actualy does is to simply hide the *sslverify* functionality.

I thought you were talking about a release version. If it's just a
snapshot, that is of course Ok. My apologies.

Though it might be easier even in that case to use an environment
variable to override it - that way the user could still override the
ODBC driver if you just checked if the variable was present before you
set it.

//Magnus

In response to

Responses

pgsql-bugs by date

Next:From: Kevin GrittnerDate: 2009-04-13 19:06:33
Subject: Re: Re: [BUGS] BUG #4027: backslashescapingnotdisabledinplpgsql
Previous:From: Magnus HaganderDate: 2009-04-13 10:23:43
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group