On Wed, 20 Jun 2007, Albe Laurenz wrote:
> Should I go ahead and write a patch against CVS HEAD, including
> sslfactory? I guess I should write a patch or the documentation too
> then.
Yes, please.
> As you say, that discussion should happen elsewhere, but I believe that
> SSL without certificate validation would be a good default
> because this is the way it is done everywhere else in PostgreSQL.
>
One of the ideas that Oliver had was to make the ssl parameter take a
String value so you could say things like ssl=try or ssl=require or
ssl=none. See the brief code around
org.postgresql.core.v3.ConnectionFactoryImpl#openConnectionImpl. We could
do that and add ssl=validate or ssl=novalidate. That would make it easier
for people to change the validation setting without getting into the
details of sslfactory. I didn't think ssl=try was a real useful setting
so resisted the idea at the time, but now that there are more interesting
options perhaps we should give the idea another look.
Kris Jurka