Magnus Hagander <magnus@hagander.net> writes:
> Bruce Momjian wrote:
>> The only other approach would be to add an sslverify value of
>> 'try' that tries only if root.crt exists.
> Doesn't "try" make the whole check pretty pointless, and you can just
> set it to "none" then?
Not at all. What it means is that you control whether to make the check
by putting the file there (or not). Which you have to do anyway, if you
want to make the check. All that the current definition of the setting
is accomplishing is forcing people to fool with their environment variables,
which is a pain in the neck to varying degrees depending on platform.
> Inventing a switch that makes it more or less impossible to figure out
> if you are going to be secure or not makes no sense. When dealing with
> security, maybe is the same as no, and you have to *know*.
I am of the opinion that sslverify should have these values:
off = never verify
on = verify if root.crt is present (default behavior)
force = verify, failing if root.crt is not present
and the people who actually want to be "sure they're secure" can set the
"force" value in their environment.
This is not measurably different in effect from the fact that we have
sslmode defaulting to "prefer" rather than "require". If you want to be
"sure you're secure" you need the latter setting, but I don't believe
there is even remotely a consensus for making that the default.
BTW, what in the world prompted us to use "cn" as an allowed value for
sslverify? It looks for all the world like a typo for "on".
regards, tom lane