Hello Jacob,
> I'm not sure how helpful it is to assign "blame" here. I think the
> requested improvement is reasonable -- it should be possible to
> override the default for a particular connection, without having to
> pick a junk value that you hope doesn't match up with an actual file
> on the disk.
Right, I agree we can look for improvements. "blame" was likely
not the best word to express myself in that message.
> sslmode=disable isn't used in either of our proposals, though. Unless
> I'm missing what you mean?
Sorry about the noise, I misread the code snippet shared earlier
(sslmode x sslcertmode). I just took a closer read at the previously
mentioned patch about sslcertmode and it seems a bit
more elegant way of achieving something similar to what has
been proposed here.
Best regards,
Israel.
On Wed, Jan 25, 2023 at 7:47 AM Israel Barth Rubio
<barthisrael@gmail.com> wrote:
> I imagine more people might have already hit a similar situation too. While the
> workaround can seem a bit weird, in my very humble opinion the user/client is
> somehow still the one to blame in this case as it is providing the "wrong" file in
> a path that is checked by libpq. With that in mind I would be inclined to say it is
> an acceptable workaround.
I'm not sure how helpful it is to assign "blame" here. I think the
requested improvement is reasonable -- it should be possible to
override the default for a particular connection, without having to
pick a junk value that you hope doesn't match up with an actual file
on the disk.
> Although both patches achieve a similar goal regarding not sending the
> client certificate there is still a slight but in my opinion important difference
> between them: sslmode=disable will also disable channel encryption. It
> may or may not be acceptable depending on how the connection is between
> your client and the server.
sslmode=disable isn't used in either of our proposals, though. Unless
I'm missing what you mean?
--Jacob