* Ian Pilcher (arequip...@gmail.com) wrote: > > In any case, the idea that this is somehow OpenSSL's fault and another > > implementation of the same protocol wouldn't have the same issue sounds > > pretty silly. > > Actually other implementations do this. In fact, a flag was added to > OpenSSL fairly recently to allow validating a chain only up to an > intermediate CA for this very reason.
Perhaps that's been a recent change, but it certainly wasn't part of the
original approach and complaining that PG doesn't do it is hardly fair.
Indeed, it sounds like this is something which should *still* be done
outside of PG and through however you configure OpenSSL on your system.
Regardless, it's completely off-topic for this discussion, which is
about documenting what we *currently* do. If you'd like to propose a
new set of features, or better yet, a rework of how we configure SSL in
PG, please do so on another thread. :)
Thanks!
Stephen
signature.asc
Description: Digital signature
