Re: controlling the location of server-side SSL files

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> On ons, 2012-02-29 at 14:27 -0500, Tom Lane wrote:
>> Hm? Obviously I misunderstood what changes you were proposing to make,
>> so would you mind spelling it out?

> The details are to be determined, but a possible change would likely be
> that instead of looking for a file and using it if and only if found,
> there would be some kind of connection parameter saying "use this file
> for this functionality", and otherwise it's not used. The particular
> example would be the CRL file.

Mph. That seems unlikely to be a net win to me. The scenario I'm
imagining is that you ("you" being DBA for some group of people) didn't
have a CRL file before, and now you need one. Your administration
problem is to get that CRL file into place for all your users.
If we change as above, then you still have that admin problem, plus now
you have another: getting all your users to use the new connection
parameter. Which, as a rule, is going to be tough (for example, psql
has no easy way to make that happen). The new admin problem offers you
no leverage at all on the old one, either, since a user who's not
acquired the CRL file more than likely hasn't changed his connection
habits either.

There may or may not be some value in a connection parameter that allows
specifying a location besides ~/.postgresql/ for the SSL support files.
But I don't find any attraction in changing the default behavior.

regards, tom lane