Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Дата
Msg-id 200904141731.n3EHVfX14854@momjian.us
обсуждение исходный текст
Ответ на Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt  (Bruce Momjian <bruce@momjian.us>)
Список pgsql-bugs
Дерево обсуждения 
Applied.  Depending on how we handle this the error text might need to
change but odds are we will still need to report something related to
sslmode/sslverify when root.crt is missing.

---------------------------------------------------------------------------

Bruce Momjian wrote:
> Peter Eisentraut wrote:
> > On Friday 10 April 2009 08:39:33 Martin Pitt wrote:
> > > Tom Lane [2009-04-10  1:15 -0400]:
> > > > Martin Pitt <mpitt@debian.org> writesyuqhom#3:
> > > > > The test suite detected one regression in libpq, though: Setting
> > > > > $PGHOST now complains about a missing root.crt, although this is only
> > > > > relevant on the server side (or did I misunderstood this?)
> > > >
> > > > No, that's a progression: the client wants to validate the server's
> > > > cert, too.
> > >
> > > Indeed it is nice to see this feature (great to prevent spoofing), but
> > > if I don't have a ~/.postgresql/root.crt at all, it shouldn't
> > > certainly break completely? (which it does now).
> >
> > I assume the server has the snakeoil certificate installed?  In that case, it
> > is correct that the client refuses to proceed, although the exact manner of
> > breaking could perhaps be improved.
>
> I have developed a patch to more clearly explain the problem with a
> missing client root.crt file:
>
>     $ PGSSLVERIFY=cn sql -h localhost test
>     psql: root certificate file "/u/postgres/.postgresql/root.crt" does not exist
>     Either supply the file or set sslverify to "none" to disable server certificate verification.
>
>     $ PGSSLVERIFY=none sql -h localhost test
>     psql (8.4beta1)
>     SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
>     Type "help" for help.
>
> I had to add a second error message line;  I didn't see us doing a
> second line anywhere else in libpq, but it seemed to be the only
> solution.  Should I use three lines?
>
> --
>   Bruce Momjian  <bruce@momjian.us>        http://momjian.us
>   EnterpriseDB                             http://enterprisedb.com
>
>   + If your life is a hard drive, Christ can be your backup. +


>
> --
> Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-bugs

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

В списке pgsql-bugs по дате отправления:

Предыдущее
От: Bruce Momjian
Дата:
Сообщение: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Следующее
От: Bruce Momjian
Дата:
Сообщение: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt