Re: SSL cleanups/hostname verification

On Tue, Nov 11, 2008 at 06:16, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> Alex Hunsaker wrote:
>> On Mon, Oct 20, 2008 at 05:50, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>
>> $ SSLVERIFY=cn ./psql junk -h 192.168.0.2
>> psql: server common name 'bahdushka' does not match hostname
>> '192.168.0.2'FATAL: no pg_hba.conf entry for host "192.168.0.2", user
>> "alex", database "junk", SSL off
>
> It needs to be PGSSLVERIFY if it's an environment variable. sslverify is
> the connection parameter.

Doh! Will go retry just as soon as I find a boot big enough to kick myself with.

> I think that's confusing your tests all the way through :(
>
> Also, I'd recommend running the server with a log on a different console
> or to a file so you don't get client and server error messages mixed up.

Well it was on a different console, I just put them into the same view
to show that I was actually restarting postgres when I changed the ssl
keys :)

>> $ SSLVERIFY=none ./psql junk -h bahdushka
>> psql: root certificate file (/home/alex/.postgresql/root.crt)
>
> Is that really the whole error message, or was it cut off? Because if it
> is, then that is certainly a bug!

Err it said psql: root certificate file
(/home/alex/.postgresql/root.crt) not found

>> But other than that looks good other than the promised documentation
>> and the mem leak Tom Lane noted. (unless I missed an updated patch?)
>
> I think you did, because there is certainly docs in the last one I sent
> :-) But here's the very latest-and-greatest - I changed the cn matching
> to be case insensitive per offlist comment from Dan Kaminsky, and an
> internal return type to bool instead of int.

Thanks