Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
>> In terms of your suggestion about root.crt, I think sslverify != none
>> should error if it can't verify the server's certificate, whether the
>> root.crt file is there or not. If you are asking for sslverify, it
>> should do that or error, not ignore the setting if there is no root.crt
>> file.
>
> Fair enough.
>
>> The only other approach would be to add an sslverify value of
>> 'try' that tries only if root.crt exists.
>
> +1 for adding a "try" setting (though I'm not sure if I like that name
> or not). I don't think that we actually have any choice in the matter.
> By the end of beta, we *will* have such a setting; the only question
> in my mind is whether it will be default or not. That depends on
> exactly how nasty the villagers become ...
The option is there already, it's called "none". That's what people are
asking for - they don't care who they are connecting to, just that the
traffic is encrypted (be it legitimate or hacked traffic, at least it's
encrypted).
It's just a matter of if it's default or not.
//Magnus
