Tom Lane wrote:
> Martin Pitt <mpitt@debian.org> writes:
>> I do see the benefit of failing to connect to an SSL-enabled server
>> *if* I have a root.crt which doesn't match. But why fail if I don't
>> have one?
>
> I think I agree with Martin on this. The server doesn't fail if you
> don't provide it a root cert; it just doesn't try to trace client certs
> to the root. It is not apparent why the client should be stricter than
> that, and definitely not apparent why such strictness should be the
> default behavior.
It's "secure by default". Without it, most people will *never* get
protected by verifying the certificate because they will not manually
copy root certificates there. And it would open up a big window for
making a very simple mistake (file missing or wrong name) that would
then silently disable SSL verification completely.
Arguably it's a bug to silently install a snakeoil cert by default. But
I realize that you have issues with backwards compatibility. How about
changing it so it points PGSSLROOTCERT to a system wide location that
holds the root.crt file? The user can then override this if proper
verification of a real certificate is wanted.
(you could also disable certificate verification by setting
PGSSLVERIFY=none, but that seems like a much worse fix)
//Mangus