Martin Pitt wrote: > Peter Eisentraut [2009-04-10 14:56 +0300]: >> I assume the server has the snakeoil certificate installed? In that case, >> it >> is correct that the client refuses to proceed, although the exact manner of >> breaking could perhaps be improved. > > Is it really refusing self-signed certificates? That would be strange.
It treats self-signed certificates the same way it treats anything else. In the case of a self-signed one, the certificate and the CA certificate are the same. Thus, you have to copy the server certificate to the client. (This is, of course, not a security issue in itself, because you don't copy the *key* over. Just as a FYI to those who thought it would be :-P) > I had thought it checks whether the user has the server signing > certificate of the server installed on his client home directory > (which, BTW, seems like a strange place to default to, and thus keep > it). That has just been brought up from previous versions. Perhaps we need to have a system wide root store as well - then you could point that to whatever snakeoil store you have, and it would find the cert correctly? //Magnus -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
