Home > mailing lists

Re: Unfriendly handling of pg_hba SSL options with SSL off - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Unfriendly handling of pg_hba SSL options with SSL off
Date	April 25, 2011 17:11:40
Msg-id	16395.1303751481@sss.pgh.pa.us Whole thread Raw
In response to	Re: Unfriendly handling of pg_hba SSL options with SSL off (Robert Haas <robertmhaas@gmail.com>)
Responses	Re: Unfriendly handling of pg_hba SSL options with SSL off (Magnus Hagander <magnus@hagander.net>) Re: Unfriendly handling of pg_hba SSL options with SSL off (Robert Haas <robertmhaas@gmail.com>) Re: Unfriendly handling of pg_hba SSL options with SSL off (Peter Eisentraut <peter_e@gmx.net>)
List	pgsql-hackers

Tree view

Robert Haas <robertmhaas@gmail.com> writes:
> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I'm inclined to think that the correct fix is to make parse_hba_line,
>> where it first realizes the line is "hostssl", check not only that SSL
>> support is compiled but that it's turned on.

> It's not clear to me what behavior you are proposing.  Would we
> disregard the hostssl line or treat it as an error?

Sorry, I wasn't clear.  I meant to throw an error.  We already do throw
an error if you put hostssl in pg_hba.conf when SSL support wasn't
compiled at all.  Why shouldn't we throw an error if it's compiled but
not turned on?

Or we could go in the direction of making hostssl lines be a silent
no-op in both cases, but that doesn't seem like especially user-friendly
design to me.  We don't treat any other cases in pg_hba.conf comparably
AFAIR.
        regards, tom lane

pgsql-hackers by date:

From: Magnus Hagander
Date: 25 April 2011, 17:08:50
Subject: Re: Unfriendly handling of pg_hba SSL options with SSL off

From: Tom Lane
Date: 25 April 2011, 17:12:33
Subject: Re: make check in contrib

Re: Unfriendly handling of pg_hba SSL options with SSL off - Mailing list pgsql-hackers

Previous

Next