Tom Lane wrote:
> Basically my point here is that the default "prefer" SSL mode
> effectively becomes "require" if the server has a root.crt.
Ok, in the scenario where validation is important, clients should be
using "require" anyway, so it's not an issue so long as libpq doesn't
try to fall back to non-SSL when "require" is in effect.
A default SSL mode of "prefer" does seem a bit dodgy, though -- it only
protects against passive attacks. I'd be tempted to make "disable" the
default, so that you have a better chance of visible errors if clients
are not correctly configured rather than silently forging ahead with a
connection that might be unintentionally insecure. That would mean lots
of pain for existing installs though :(
I had to dig into the libpq docs to find any mention of the environment
variables / config files that set the SSL behaviour. It'd be useful to
have details in the psql manpage too..
-O