Re: sslmode=require fallback

Greg Stark <stark@mit.edu> writes:
> Well what's required to "configure SSL" anyways? If you don't have
> verify-ca set or a root canal cert present then the server just needs a
> certificate -- any certificate. Can the server just cons one up on demand
> (or server startup or initdb)?

Hmm, good old "snake oil certificate" approach.  Yeah, we could probably
have initdb create a cert all the time.  I had memories of this taking
an undue amount of time, but it seems pretty fast on a modern server.
Also, we could offer a switch to turn it off if necessary, with the
understanding that non-Unix-socket connections can be expected to fail
if user doesn't install a cert.
        regards, tom lane