Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
| От | Tom Lane |
|---|---|
| Тема | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Дата | |
| Msg-id | 393.1239395125@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt (Peter Eisentraut <peter_e@gmx.net>) |
| Список | pgsql-bugs |
[ sorry for double reply, but I missed answering this point ]
Peter Eisentraut <peter_e@gmx.net> writes:
> On Friday 10 April 2009 22:50:02 Tom Lane wrote:
>> If we believe that then we need to also change the server to require
>> a root.crt.
> That would make sense if the server required SSL in the first place. But the
> default configuration of the server is to take anything. It would conceivably
> be proper to require a stronger client authentication mechanism than "trust"
> on hostssl lines. (This doesn't have to be SSL-based client authentication.)
I guess I was insufficiently precise, because you seem to be responding
to a different point than I intended to make. What I should have said
was "change the server to require a root.crt in order to successfully
establish an SSL connection". Not that you have to have such a file
even if you don't care about SSL. But if we are going to enforce that
SSL implies verification on the client side, then surely it should
also imply that on the server side.
regards, tom lane
В списке pgsql-bugs по дате отправления: