Tom Lane wrote: > Bruce Momjian <br...@momjian.us> writes: >> In terms of your suggestion about root.crt, I think sslverify != none >> should error if it can't verify the server's certificate, whether the >> root.crt file is there or not. If you are asking for sslverify, it >> should do that or error, not ignore the setting if there is no root.crt >> file. > > Fair enough. > >> The only other approach would be to add an sslverify value of >> 'try' that tries only if root.crt exists. > > +1 for adding a "try" setting (though I'm not sure if I like that name > or not). I don't think that we actually have any choice in the matter. > By the end of beta, we *will* have such a setting; the only question > in my mind is whether it will be default or not. That depends on > exactly how nasty the villagers become ...
The option is there already, it's called "none". That's what people are asking for - they don't care who they are connecting to, just that the traffic is encrypted (be it legitimate or hacked traffic, at least it's encrypted). It's just a matter of if it's default or not. //Magnus -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
