> I'm not sure whether our current SSL support does a good job of this > --- I think it only tries to check whether the server > presents a valid certificate, not which cert it is. Possibly > Kerberos does more, but I dunno a thing about that...
If you stick a root certificate (root.crt in ~/.postgresql) for it to validate against, it will be validated against that root. I'm not sure if it validates the common name of the cert though - that would be an issue if you're using a global CA. If you're using a local enterprise CA, that's a much smaller issue (because you yourself have total control over who gets certificates issued by the CA). The way our Kerberos implementation is done, it does *not* validate the server, just the client. If you want server verification, you must use a combination of both Kerberos and SSL. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq