Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

* Martin Pitt (mpitt@debian.org) wrote:
> Magnus Hagander [2009-04-11 11:50 +0200]:
> > That has just been brought up from previous versions. Perhaps we need to
> > have a system wide root store as well - then you could point that to
> > whatever snakeoil store you have, and it would find the cert correctly?
>=20
> We couldn't set this up by default, of course, since each installed
> machine will have a different snakeoil cert (it gets generated during
> installation).=20

It's worse than that..  Obviously, you can have the client installed on
systems which aren't where the server is (we do this alot..) and there's
no way for a packaging system to pull the cert from the server.

> But at least the servers I know often use something
> like /etc/ssl/certs/<myservername>.crt and point their services (like
> apache, postfix, etc.) to this. However, right now the client side
> psql does not have any system wide configuration files, so adding
> something like this will need some careful design.

If we're going to do something along those lines, we should start by
supporting a CA cert directory or similar.  We could then recommend
ca-certificates and default config the client to use those.  Of course,
anyone who actually cares about security probably wouldn't install
ca-certificates, but it's what the browsers use.

    Thanks,

        Stephen