On Mon, Dec 2, 2013 at 04:56:56PM -0500, Stephen Frost wrote: > * Ian Pilcher (arequip...@gmail.com) wrote: > > > In any case, the idea that this is somehow OpenSSL's fault and another > > > implementation of the same protocol wouldn't have the same issue sounds > > > pretty silly. > > > > Actually other implementations do this. In fact, a flag was added to > > OpenSSL fairly recently to allow validating a chain only up to an > > intermediate CA for this very reason. > > Perhaps that's been a recent change, but it certainly wasn't part of the > original approach and complaining that PG doesn't do it is hardly fair. > Indeed, it sounds like this is something which should *still* be done > outside of PG and through however you configure OpenSSL on your system. > > Regardless, it's completely off-topic for this discussion, which is > about documenting what we *currently* do. If you'd like to propose a > new set of features, or better yet, a rework of how we configure SSL in > PG, please do so on another thread. :)
Uh, this thread actually started with Ian's feature request, and has changed to document the current behavior. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers