Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Tom Lane wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> Tom Lane wrote:
>>> In the first place, I have never seen such a prompt, despite the fact
>>> that I use ssh constantly to connect to machines that I know do not have
>>> properly signed certificates.
>
>> *really*? Here's what I get as an example (after removing the trust):
>
>> ha@mha-laptop:~/.ssh$ ssh cvs.postgresql.org
>> The authenticity of host 'cvs.postgresql.org (217.196.146.206)' can't be
>> established.
>> DSA key fingerprint is 54:27:10:f3:48:0a:f0:b6:c3:14:79:7e:49:c0:75:f3.
>> Are you sure you want to continue connecting (yes/no)? ^C
>
> This simply tells you that the machine has a new key since last time you
> talked to it.  It doesn't have anything to do with whether the machine's
> cert has been signed by anybody.  It also doesn't prevent you from
> operating without a root.crt file of your own.

SSH doesn't have certificates. The trusted key is as close as you get.
You can compare it to ssl with *only* self-signed-certificate. Where it
prompts you to authenticate the fingerprint of said
self-signed-certificate.

They do it through a prompt. We do it through a file. But as long as you
in pg only deal with self-signed certs, the outcome is pretty much the same.

//Magnus