On Fri, Jul 15, 2016 at 4:14 AM, Magnus Hagander <mag...@hagander.net> wrote: >> The original complaint was not actually that "prefer" is a bad default, >> but that in the presence of a root certificate on the client, a >> certificate validation failure falls back to plain text. That seems >> like a design flaw of the "prefer" mode, no matter whether it is the >> default or not. > > The entire "prefer" mode is a design flaw, that we unfortunately picked as > default mode.
Well, you keep saying that, but what I'm saying is you should stop complaining about and start figuring out how to fix it. :-) > If it fails *for any reason*, it falls back to plaintext. Thus, you have to > assume it will make a plaintext connection. Thus, it gives you zero > guarantees, so it serves no actual purpose from a security perspective. > > it will equally fall back on incompatible SSL configs. Or on a network > hiccup. The presence of the certificate is just one of many different > scenarios where it will fall back. > > If you care about encryption, you should pick something else > (require/verify). If you don't care about encryption, you should pick > something else (allow, probably) so as not to pay unnecessary overhead. If we think trying to push everyone on to SSL isn't a good plan, then how about changing the default to allow? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers