| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Cc: | Martin Pitt <mpitt(at)debian(dot)org> |
| Subject: | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Date: | 2009-04-10 18:21:54 |
| Message-ID: | 200904102121.55976.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Friday 10 April 2009 17:13:55 Martin Pitt wrote:
> However, we can't afford to break existing installations. If a user
> has 8.4 installed locally, he'll use libpq from 8.4, and suddenly he
> could not connect to a remote SSL 8.3 cluster any more. So the check
> needs at least be turned into a warning for connecting to a pre-8.4
> server.
This is not a question of new client with old server. The new version of the
client has a more secure default that will possibly prevent it from connecting
to *any* server that is not adequately configured.
But it's a default, so the user can change it.
Consider the analogy that a new web browser comes out that verifies server
certificates (as of course all respectable browsers do nowadays) whereas the
previous version one didn't. The right fix there is certainly not to
downgrade this to a warning when connecting to an older web server.
Not to mention the security implications: A rogue server could simply pretend
to be of an older version to circumvent the client's security check.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2009-04-10 18:27:54 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Previous Message | Tom Lane | 2009-04-10 18:21:23 | Re: Re: [BUGS] BUG #4027: backslash escaping notdisabled inplpgsql |