Bruce Momjian <bruce@momjian.us> writes:
> In terms of your suggestion about root.crt, I think sslverify != none
> should error if it can't verify the server's certificate, whether the
> root.crt file is there or not. If you are asking for sslverify, it
> should do that or error, not ignore the setting if there is no root.crt
> file.
Fair enough.
> The only other approach would be to add an sslverify value of
> 'try' that tries only if root.crt exists.
+1 for adding a "try" setting (though I'm not sure if I like that name
or not). I don't think that we actually have any choice in the matter.
By the end of beta, we *will* have such a setting; the only question
in my mind is whether it will be default or not. That depends on
exactly how nasty the villagers become ...
regards, tom lane