Re: BUG #4340: SECURITY: Is SSL Doing Anything?

Tom Lane wrote:
> Dan Kaminsky <dan@doxpara.com> writes:
> >     Lets talk about the verify_cb callback first:  Suppose there's a
> > man-in-the-middle between the PG client and the PG server.  Is some
> > secondary force going to apply some Trusted CA list?
>
> I'm not sure why we have verify_cb at all -- so far as I can see,
> it just specifies the same behavior as OpenSSL's default.  Are
> you saying that OpenSSL's default verification behavior is broken?

verify_cb() is just a throwaway true parameter for the function, I
assume.

> >     Second, are you saying verify_peer doesn't do anything for
> > authentication?  Are you sure about that?  There's really little reason
> > otherwise for the call to exist.
>
> Er, we don't *have* a verify_peer callback.

Uh, the user reported running Postgres 7.3 and we have improved SSL
quite a bit since then so perhaps an upgrade and reading the current
docs would help the user.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +