On Thu, Jun 23, 2016 at 1:50 AM, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Jun 16, 2016 at 10:42:56AM +0200, Magnus Hagander wrote: > However, if this is the expected behavior, the documentation at https:// > www.postgresql.org/docs/current/static/libpq-ssl.html should be updated to > make this more clear. It should be made clear that the existence of the > file ~/.postgresql/root.crt changes the behavior of sslmode=require and > sslmode=prefer. > > > > Agreed. It's basically backwards compatibility with something that was badly > documented in the first place :) That's not a particularly strong argument for > the way it is. Clarifying the documentation would definitely be a good > improvement.
Does this have to remain backward-compatible forever?
In general no. But I think the problem here is that if somebody misses the removal of something backwards compatible, it turns off their security. Which is not good...
