Stephen Frost wrote: -- Start of PGP signed section. > * Peter Eisentraut (pete...@gmx.net) wrote: > > This is not a question of new client with old server. The new version of > > the > > client has a more secure default that will possibly prevent it from > > connecting > > to *any* server that is not adequately configured. > > A properly configured server could cause a failure too unless the client > is *also* properly configured. Sure, it's good for people to do. No, I > don't think we should break things if people don't build out a whole PKI > for PG and configure all their certs correctly. It's pie-in-the-sky to > think everyone will do that, and in the end most will just say "SSL > breaks stuff, so we'll disable it" which certainly isn't better. > > > But it's a default, so the user can change it. > > It should be the default to connect, maybe with a warning. > > > Consider the analogy that a new web browser comes out that verifies server > > certificates (as of course all respectable browsers do nowadays) whereas > > the > > previous version one didn't. The right fix there is certainly not to > > downgrade this to a warning when connecting to an older web server. > > Uh, no, the right fix is to have a warning/prompt (as pretty much all > web browsers today do) but then continue to connect. Also, the > web-browser analogy completely falls apart when you consider that the > use case is significantly different (how many times have you connected > to a PG server that you didn't know?).
The problem is that libpq doesn't have any ability to warn/prompt like SSH and web browsers do, so I think Magnus patterned the libpq behavior around cases where warning/prompt failed in these environments. I am not saying the current behavior is correct, only why it was configured that way. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
