Applied. Depending on how we handle this the error text might need to change but odds are we will still need to report something related to sslmode/sslverify when root.crt is missing.
--------------------------------------------------------------------------- Bruce Momjian wrote: > Peter Eisentraut wrote: > > On Friday 10 April 2009 08:39:33 Martin Pitt wrote: > > > Tom Lane [2009-04-10 1:15 -0400]: > > > > Martin Pitt <mp...@debian.org> writesyuqhom#3: > > > > > The test suite detected one regression in libpq, though: Setting > > > > > $PGHOST now complains about a missing root.crt, although this is only > > > > > relevant on the server side (or did I misunderstood this?) > > > > > > > > No, that's a progression: the client wants to validate the server's > > > > cert, too. > > > > > > Indeed it is nice to see this feature (great to prevent spoofing), but > > > if I don't have a ~/.postgresql/root.crt at all, it shouldn't > > > certainly break completely? (which it does now). > > > > I assume the server has the snakeoil certificate installed? In that case, > > it > > is correct that the client refuses to proceed, although the exact manner of > > breaking could perhaps be improved. > > I have developed a patch to more clearly explain the problem with a > missing client root.crt file: > > $ PGSSLVERIFY=cn sql -h localhost test > psql: root certificate file "/u/postgres/.postgresql/root.crt" does not > exist > Either supply the file or set sslverify to "none" to disable server > certificate verification. > > $ PGSSLVERIFY=none sql -h localhost test > psql (8.4beta1) > SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) > Type "help" for help. > > I had to add a second error message line; I didn't see us doing a > second line anywhere else in libpq, but it seemed to be the only > solution. Should I use three lines? > > -- > Bruce Momjian <br...@momjian.us> http://momjian.us > EnterpriseDB http://enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > -- > Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-bugs -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
