Re: Successor of MD5 authentication, let's use SCRAM

On 10/22/2012 10:18 AM, Robert Haas wrote:
> On Sun, Oct 21, 2012 at 11:02 AM, Martijn van Oosterhout
> <kleptog@svana.org> wrote:
>> It bugs me every time you have to jump through hoops and get red
>> warnings for an unknown CA, whereas no encryption whatsoever is treated
>> as fine while being actually even worse.
> +1.  Amen, brother.
>

Not really, IMNSHO. The difference is that an unencrypted session isn't 
pretending to be secure. In any case, it doesn't seem too intrusive for 
us to warn, at least in psql, with something like:
    SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Host 
Certificate Unverified

If people want to get more paranoid they can always set PGSSLMODE to 
verify-ca or verify-full.


cheers

andrew