Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Magnus Hagander wrote:
> Tom Lane wrote:
>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>> Tom Lane wrote:
>>>> Having a connection that
>>>> was encrypted in 8.3 silently become clear-text after installing 8.4
>>>> is just plain NOT acceptable.
>>>>
>>>> I think the patch would be fine if we simply keep the default where
>>>> it is, however. Is there some point I am missing that compels
>>>> selection of a less-secure default?
>>> The current default *makes no sense*. Ever. Not just as a default.
>> I categorically reject that thinking. Encrypted connections are useful
>> even without authentication. Your argument ignores the real fact that
>> eavesdropping is easier than man-in-the-middle attacks. Even if there
>> weren't any significant difference, what is the gain from switching to
>> unencrypted in cases where we previously used encryption? There is
>> none.
>
> Did you read the thread? That's not the argument that makes it make no
> sense.
>
> Yes, encrypted connections are useful without authentication. But they
> are quite useless unless you can determine if you have encryption *at
> all* before you start sending sensitive data.
>
>
>>> However, I can see us having "allow" instead of "disable" as the
>>> default. That is the most forgiving of all settings - it will work with
>>> whatever you had configured before.
>> And it still moves us to "less secure than 8.3 by default", because
>> configurations that formerly used encrypted connections might now use
>> unencrypted ones. It's not acceptable.
>
> Fine. I'll leave the default as it is then, and document that the
> default we've chosen means "I don't care if I get security or not, but
> if possible, I'd like to pay the encryption overhead".
>

I have applied a patch that does this.

There are some further documentation updates required, I'll keep working
on those.

//Magnus