Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Martin Pitt wrote:
> Peter Eisentraut [2009-04-10 14:56 +0300]:
>> I assume the server has the snakeoil certificate installed?  In that case, it
>> is correct that the client refuses to proceed, although the exact manner of
>> breaking could perhaps be improved.
>
> Is it really refusing self-signed certificates? That would be strange.

It treats self-signed certificates the same way it treats anything else.
In the case of a self-signed one, the certificate and the CA certificate
are the same. Thus, you have to copy the server certificate to the client.

(This is, of course, not a security issue in itself, because you don't
copy the *key* over. Just as a FYI to those who thought it would be :-P)


> I had thought it checks whether the user has the server signing
> certificate of the server installed on his client home directory
> (which, BTW, seems like a strange place to default to, and thus keep
> it).

That has just been brought up from previous versions. Perhaps we need to
have a system wide root store as well - then you could point that to
whatever snakeoil store you have, and it would find the cert correctly?

//Magnus