Hello Israel,
Thanks a lot for the suggestion!
> I do not think it is worth it to change the current behavior of
PostgreSQL
> in that sense.
Well, I am not suggesting to change the current behavior of PostgreSQL in
that matter. Quite the contrary, I find this feature very convenient,
specially when you need to deal with many different clusters. What I am
proposing is rather the possibility to disable it on demand :) I mean,
in case I do not want libpq to try to authenticate using the certificates
in `~/.postgresql`.
> PostgreSQL looks for the cert and key under `~/.postgresql` as a
facility.
> These files do not exist by default, so if PostgreSQL finds something in
> there it assumes you want to use it.
Yes. I'm just trying to find an elegant way to disable this assumption
on demand.
> I also think it is correct in the sense of choosing the certificate over
> a password based authentication when it finds a certificate as the cert
> based would provide you with stronger checks.
I couldn't agree more.
> It would require that you move the SSL cert and key from
`~/.postgresql` to
> somewhere else and specify `sslcert` and `sslkey` in the expected
service in the
> `~/.pg_service.conf` file.
That's exactly what I am trying to avoid. IOW, I want to avoid having to
move
the cert files to another path and consequently having to configure 30
different entries in the pg_service.conf because of a single server that
does not support ssl authentication.
I do realize that this patch is a big ask, since probably nobody except
me "needs it" :D
Thanks again for the message. Much appreciated!
Best,
Jim
