| From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Zeus Kronion <zkronion(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Possible SSL improvements for a newcomer to tackle |
| Date: | 2017-10-04 18:47:45 |
| Message-ID: | CAMkU=1zKmHv3Ei0AH_EMnDYtHNSBPwnpuXwgsY4h0Q9PGaXZ7A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Oct 2, 2017 at 9:33 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> It's possible that we could adopt some policy like "if the root.crt file
> exists then default to verify" ... but that seems messy and unreliable,
> so I'm not sure it would really add any security.
>
That is what we do. If root.crt exists, we default to verify-ca.
And yes, it is messy and unreliable. I don't know if it adds any security
or not.
Or do you mean we could default to verify-full instead of verify-ca?
Cheers,
Jeff
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2017-10-04 18:50:03 | Re: [COMMITTERS] pgsql: Fix freezing of a dead HOT-updated tuple |
| Previous Message | Nico Williams | 2017-10-04 18:24:03 | Re: [PATCH] Add ALWAYS DEFERRED option for constraints |