Dan Kaminsky <dan(at)doxpara(dot)com> writes:
> Lets talk about the verify_cb callback first: Suppose there's a
> man-in-the-middle between the PG client and the PG server. Is some
> secondary force going to apply some Trusted CA list?
I'm not sure why we have verify_cb at all -- so far as I can see,
it just specifies the same behavior as OpenSSL's default. Are
you saying that OpenSSL's default verification behavior is broken?
> Second, are you saying verify_peer doesn't do anything for
> authentication? Are you sure about that? There's really little reason
> otherwise for the call to exist.
Er, we don't *have* a verify_peer callback.
regards, tom lane