On Mar 7, 2013, at 9:37 AM, Ian Pilcher wrote: > On 03/07/2013 08:28 AM, Tom Lane wrote: >> Maybe I'm missing something, but I don't see why you'd expect a >> different result. That leaves you with no way to validate the server's >> own certificate. > > I don't follow. Why would the server need to validate it's own > certificate?
What Tom said works for me. Here is a page that gives an example and I think it demonstrates that the root CA does not allow everybody in the gate, the chain has to be in place: http://stackoverflow.com/questions/1456034/trouble-understanding-ssl-certificate-chain-verification You can use the "openssl verify" command to test that the root is not wide open on it's own. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
