| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Hiroshi Inoue <inoue(at)tpf(dot)co(dot)jp> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Martin Pitt <mpitt(at)debian(dot)org>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Date: | 2009-04-13 10:25:11 |
| Message-ID: | 49E31307.50807@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hiroshi Inoue wrote:
> Magnus Hagander wrote:
>> Hiroshi Inoue wrote:
>>> Magnus Hagander wrote:
>>>> Bruce Momjian wrote:
>>>>> Martin Pitt wrote:
>>>>>> I do see the benefit of failing to connect to an SSL-enabled server
>>>>>> *if* I have a root.crt which doesn't match. But why fail if I don't
>>>>>> have one?
>>>>> I have digested this thread, and have done two things: improved the
>>>>> documentation and posted a patch to make the error message clearer.
>>>>>
>>>>> In terms of your suggestion about root.crt, I think sslverify != none
>>>>> should error if it can't verify the server's certificate, whether the
>>>>> root.crt file is there or not. If you are asking for sslverify, it
>>>>> should do that or error, not ignore the setting if there is no
>>>>> root.crt
>>>>> file. The only other approach would be to add an sslverify value of
>>>>> 'try' that tries only if root.crt exists.
>>>> Doesn't "try" make the whole check pretty pointless, and you can just
>>>> set it to "none" then?
>>> Yes the snapshot psqlodbc driver already set sslverify to none and can't
>>> change it though it may be differnet from the expected behavior. It was
>>> not so easy to implement because sslverify parameter is illegal for <=
>>> 8.3 libpq and the psqlodbc driver doesn't rely on environment variables
>>> at all.
>>
>> Whatever the default is, if you can't change the value I'd say that
>> makes the ODBC driver pretty darn broken. It would be equally broken if
>> it was set to the default and it wasn't possible to change it.
>
> The psqlodbc driver has its own development cycle and doesn't use new
> core features at once usually. The problem is the default behavior about
> sslverify is incompatible with the 8.3 libpq behavior and the driver had
> to do something with it before 8.4 release. What the snapshot driver
> actualy does is to simply hide the *sslverify* functionality.
I thought you were talking about a release version. If it's just a
snapshot, that is of course Ok. My apologies.
Though it might be easier even in that case to use an environment
variable to override it - that way the user could still override the
ODBC driver if you just checked if the variable was present before you
set it.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2009-04-13 19:06:33 | Re: Re: [BUGS] BUG #4027: backslash escapingnotdisabledinplpgsql |
| Previous Message | Magnus Hagander | 2009-04-13 10:23:43 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |