Tom Lane wrote:
> Dan Kaminsky <dan@doxpara.com> writes:
> > Lets talk about the verify_cb callback first: Suppose there's a
> > man-in-the-middle between the PG client and the PG server. Is some
> > secondary force going to apply some Trusted CA list?
>
> I'm not sure why we have verify_cb at all -- so far as I can see,
> it just specifies the same behavior as OpenSSL's default. Are
> you saying that OpenSSL's default verification behavior is broken?
verify_cb() is just a throwaway true parameter for the function, I
assume.
> > Second, are you saying verify_peer doesn't do anything for
> > authentication? Are you sure about that? There's really little reason
> > otherwise for the call to exist.
>
> Er, we don't *have* a verify_peer callback.
Uh, the user reported running Postgres 7.3 and we have improved SSL
quite a bit since then so perhaps an upgrade and reading the current
docs would help the user.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +