Martin Pitt wrote:
> I do see the benefit of failing to connect to an SSL-enabled server
> *if* I have a root.crt which doesn't match. But why fail if I don't
> have one?
I have digested this thread, and have done two things: improved the
documentation and posted a patch to make the error message clearer.
In terms of your suggestion about root.crt, I think sslverify != none
should error if it can't verify the server's certificate, whether the
root.crt file is there or not. If you are asking for sslverify, it
should do that or error, not ignore the setting if there is no root.crt
file. The only other approach would be to add an sslverify value of
'try' that tries only if root.crt exists.
A separate issue is if sslverify should default to 'cn'.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +