Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Tom Lane wrote:
>>> Having a connection that
>>> was encrypted in 8.3 silently become clear-text after installing 8.4
>>> is just plain NOT acceptable.
>>>
>>> I think the patch would be fine if we simply keep the default where
>>> it is, however. Is there some point I am missing that compels
>>> selection of a less-secure default?
>
>> The current default *makes no sense*. Ever. Not just as a default.
>
> I categorically reject that thinking. Encrypted connections are useful
> even without authentication. Your argument ignores the real fact that
> eavesdropping is easier than man-in-the-middle attacks. Even if there
> weren't any significant difference, what is the gain from switching to
> unencrypted in cases where we previously used encryption? There is
> none.

Did you read the thread? That's not the argument that makes it make no
sense.

Yes, encrypted connections are useful without authentication. But they
are quite useless unless you can determine if you have encryption *at
all* before you start sending sensitive data.

>> However, I can see us having "allow" instead of "disable" as the
>> default. That is the most forgiving of all settings - it will work with
>> whatever you had configured before.
>
> And it still moves us to "less secure than 8.3 by default", because
> configurations that formerly used encrypted connections might now use
> unencrypted ones. It's not acceptable.

Fine. I'll leave the default as it is then, and document that the
default we've chosen means "I don't care if I get security or not, but
if possible, I'd like to pay the encryption overhead".

//Magnus