Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
>> In terms of your suggestion about root.crt, I think sslverify != none
>> should error if it can't verify the server's certificate, whether the
>> root.crt file is there or not.  If you are asking for sslverify, it
>> should do that or error, not ignore the setting if there is no root.crt
>> file.
>
> Fair enough.
>
>> The only other approach would be to add an sslverify value of
>> 'try' that tries only if root.crt exists.
>
> +1 for adding a "try" setting (though I'm not sure if I like that name
> or not).  I don't think that we actually have any choice in the matter.
> By the end of beta, we *will* have such a setting; the only question
> in my mind is whether it will be default or not.  That depends on
> exactly how nasty the villagers become ...

The option is there already, it's called "none". That's what people are
asking for - they don't care who they are connecting to, just that the
traffic is encrypted (be it legitimate or hacked traffic, at least it's
encrypted).

It's just a matter of if it's default or not.

//Magnus