On Sat, Dec 29, 2007 at 12:40:24PM +0100, Magnus Hagander wrote: > We already *do* allow the DBA to choose this, no? If you put the root > certificate on the client, it *will* verify the server cert, and it > *will* refuse to connect to a server that can't present a trusted root cert.
I think Tom's point is that we don't allow this for connections over a Unix Domain socket. And thus we should remove the asymmetry so the verification can work for them also. Personally I quite liked the idea of having a serveruser=foo which is checked by getting the peer credentials. Very low cost, quick setup solution. Have a nice day, -- Martijn van Oosterhout <[EMAIL PROTECTED]> http://svana.org/kleptog/ > Those who make peaceful revolution impossible will make violent revolution > inevitable. > -- John F Kennedy
signature.asc
Description: Digital signature
