Magnus Hagander [2009-04-11 11:50 +0200]:
> It treats self-signed certificates the same way it treats anything else.
> In the case of a self-signed one, the certificate and the CA certificate
> are the same. Thus, you have to copy the server certificate to the client.
Right, that's what I had expected. Thanks for confirming.
> > I had thought it checks whether the user has the server signing
> > certificate of the server installed on his client home directory
> > (which, BTW, seems like a strange place to default to, and thus keep
> > it).
>
> That has just been brought up from previous versions. Perhaps we need to
> have a system wide root store as well - then you could point that to
> whatever snakeoil store you have, and it would find the cert correctly?
We couldn't set this up by default, of course, since each installed
machine will have a different snakeoil cert (it gets generated during
installation). But at least the servers I know often use something
like /etc/ssl/certs/<myservername>.crt and point their services (like
apache, postfix, etc.) to this. However, right now the client side
psql does not have any system wide configuration files, so adding
something like this will need some careful design.
Thanks,
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)