On Mon, Dec 2, 2013 at 04:56:56PM -0500, Stephen Frost wrote:
> * Ian Pilcher (arequipeno@gmail.com) wrote:
> > > In any case, the idea that this is somehow OpenSSL's fault and another
> > > implementation of the same protocol wouldn't have the same issue sounds
> > > pretty silly.
> >
> > Actually other implementations do this. In fact, a flag was added to
> > OpenSSL fairly recently to allow validating a chain only up to an
> > intermediate CA for this very reason.
>
> Perhaps that's been a recent change, but it certainly wasn't part of the
> original approach and complaining that PG doesn't do it is hardly fair.
> Indeed, it sounds like this is something which should *still* be done
> outside of PG and through however you configure OpenSSL on your system.
>
> Regardless, it's completely off-topic for this discussion, which is
> about documenting what we *currently* do. If you'd like to propose a
> new set of features, or better yet, a rework of how we configure SSL in
> PG, please do so on another thread. :)
Uh, this thread actually started with Ian's feature request, and has
changed to document the current behavior.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ Everyone has their own god. +