Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist

Hello Israel,

Thanks a lot for the suggestion!

> I do not think it is worth it to change the current behavior of
PostgreSQL
> in that sense.

Well, I am not suggesting to change the current behavior of PostgreSQL in
that matter. Quite the contrary, I find this feature very convenient,
specially when you need to deal with many different clusters. What I am
proposing is rather the possibility to disable it on demand :) I mean,
in case I do not want libpq to try to authenticate using the certificates
in `~/.postgresql`.

> PostgreSQL looks for the cert and key under `~/.postgresql` as a
facility.
> These files do not exist by default, so if PostgreSQL finds something in
> there it assumes you want to use it.

Yes. I'm just trying to find an elegant way to disable this assumption
on demand.

> I also think it is correct in the sense of choosing the certificate over
> a password based authentication when it finds a certificate as the cert
> based would provide you with stronger checks.

I couldn't agree more.

> It would require that you move the SSL cert and key from
`~/.postgresql` to
> somewhere else and specify `sslcert` and `sslkey` in the expected
service in the
> `~/.pg_service.conf` file.

That's exactly what I am trying to avoid. IOW, I want to avoid having to
move
the cert files to another path and consequently having to configure 30
different entries in the pg_service.conf because of a single server that
does not support ssl authentication.

I do realize that this patch is a big ask, since probably nobody except
me "needs it" :D

Thanks again for the message. Much appreciated!

Best,

Jim