On 10/22/2012 10:18 AM, Robert Haas wrote:
> On Sun, Oct 21, 2012 at 11:02 AM, Martijn van Oosterhout
> <kleptog@svana.org> wrote:
>> It bugs me every time you have to jump through hoops and get red
>> warnings for an unknown CA, whereas no encryption whatsoever is treated
>> as fine while being actually even worse.
> +1. Amen, brother.
>
Not really, IMNSHO. The difference is that an unencrypted session isn't
pretending to be secure. In any case, it doesn't seem too intrusive for
us to warn, at least in psql, with something like:
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Host
Certificate Unverified
If people want to get more paranoid they can always set PGSSLMODE to
verify-ca or verify-full.
cheers
andrew