On Mon, Oct 2, 2017 at 9:33 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > > It's possible that we could adopt some policy like "if the root.crt file > exists then default to verify" ... but that seems messy and unreliable, > so I'm not sure it would really add any security. >
That is what we do. If root.crt exists, we default to verify-ca. And yes, it is messy and unreliable. I don't know if it adds any security or not. Or do you mean we could default to verify-full instead of verify-ca? Cheers, Jeff
