Tom Lane wrote: > Bruce Momjian <[EMAIL PROTECTED]> writes: > > Agreed. Requiring client root certificate checking is heavy-handed. > > There seems to be some confusion here. I didn't think anyone was > proposing that we force every installation to require client root > certificate checking. What was under discussion (I thought) was > providing the ability for a DBA to *choose* to require it.
Oh, yea, that would be OK. I am a little worried that the extra configuration required to turn this on/off might be added complexity for little gain. It might be simpler to allow the administrator to control whether non-checking clients are logged, rather than refusing the connection. I think this makes it clearer the root client check is to make sure all your clients are doing it right, rather than an actual security enhancement (if that makes sense). > > Of course I am not sure anyone knows how to get that information from > > SSL. > > Yeah, if OpenSSL doesn't support testing for this then the discussion > is moot... Yea. -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 2: Don't 'kill -9' the postmaster