Hello Bruce, Bruce Momjian [2009-04-11 8:33 -0400]: > I noticed you didn't quote the next sentence: > > The SSL connection will fail if the server does not present a trusted > certificate.
Indeed. When I read it first, it seemed unrelatead to me, but now I understand where this was aiming at. > Which clearly explains _a_ failure, but doesn't link it well to the > behavior. I agree the wording needs improvement so I have update the > doc paragraph to mention "requires" at the beginning": > > I will now look at improving the libpq error message. I saw your patches. Many thanks, this is much clearer now. Bruce Momjian [2009-04-11 17:42 -0400]: > The only other approach would be to add an sslverify value of > 'try' that tries only if root.crt exists. The semantics of this sound like a good default to me, since it would enforce a good cert as soon as I start caring, i. e. when I actually have a root.crt to verify against. This is the kind of "single-action SSL enabling" workflow I was already looking for when configuring the snakeoil SSL cert by default. Perhaps it shouldn't be called "try", though, maybe "cert" should have above semantics, and "force" should have the currently implemented one (i. e. fail if not present)? But that gets us dangerously close to bikeshedding now... Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
