Bruce Momjian wrote: > Magnus Hagander wrote: >> Attached patch cleans up the certificate verification in libpq, and adds >> a configuration paraqmeter to control it. The new parameter is >> "sslverify", and can be set to: > > Because SSL offers both encryption and authentication, I wonder if we > should call this "sslauthenticate".
I think that would confuse people with actual SSL certificate based authentication, which we do not (yet) have. >> * cn = default = will validate that the certificate chains to a trusted >> root, *and* that the cn on the certificate matches the hostname >> specificed in the connection. This is the only option that prevents >> man-in-the-middle attacks completely, and therefor is the default. > > Should this be "commonname"? "cn" is a fairly standard way to refer to it, but if people think the longer name is better, I'm ok with changing it. >> * cert = what we had before if there was a root certificate file = will >> validate that the certificate chains to a trusted root, but ignore the cn. > > Should this be "chain"? Could be, not sure. //Magnus -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
