Re: Refuse SSL patch - Mailing list pgsql-patches
| From | Bruce Momjian |
|---|---|
| Subject | Re: Refuse SSL patch |
| Date | |
| Msg-id | 200301070700.h0770MC26102@candle.pha.pa.us Whole thread Raw |
| In response to | Refuse SSL patch (Jon Jensen <jon@endpoint.com>) |
| Responses |
Re: Refuse SSL patch
(Jon Jensen <jon@endpoint.com>)
|
| List | pgsql-patches |
Jon, I just documented the service/PGSERVICE capability in the CVS tree.
It allows a pg_service.conf file that controls additional libpq
connection options. In your app, you just do:
connectdb("service=conn1")
and "conn1" is looked up in pg_service.conf and it gets its other
connection parameters from there. The code is already in 7.3. I just
documented it, and changed auto-dbname setting to be active only when
they don't specify a dbname. Also, I created a sample file called
pg_service.conf.sample.
This may provide a better way for you to control SSL rather than
changing PGREQUIRE_SSL, which was also recently documented in the CVS
tree.
I don't think overloading REQUIRE to mean something else is really the
way to go. Looking at your options, we have:
> > 0 - Refuse SSL
Hard to imagine why someone would pick this one.
> > 1 - Negotiate, Prefer non-SSL
This is the only new valid one. My question is why you would specify ssl
on the host if you don't need ssl?
> > 2 - Negotiate, Prefer SSL (default)
Already the default for no requiressl.
> > 3 - Require SSL
Already requiressl.
If the problem is that some apps need requiressl and others don't, I
think the service file may be your cleanest option.
---------------------------------------------------------------------------
Jon Jensen wrote:
> PostgreSQL hackers,
>
> This patch allows the PostgreSQL server to refuse SSL connections
> selectively, and the clients to not initiate SSL connections.
>
> The point is for me to be able to choose non-SSL connections over SSL,
> even when SSL is available, for maximum performance. I've got a PostgreSQL
> server that has a separate private network link to an application server,
> and I want database connections there to always be non-SSL for speed. But
> I also connect to the same PostgreSQL instance from a remote site, and
> always want that connection to be SSL only for security.
>
> I haven't seen any previous mention of a similar patch, though I found the
> following idea proposed by Magnus Hagander which I like:
>
> > Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being:
> > 0 - Refuse SSL
> > 1 - Negotiate, Prefer non-SSL
> > 2 - Negotiate, Prefer SSL (default)
> > 3 - Require SSL
>
> http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
>
> He also notes the desire to be able to disable SSL for speed.
>
> Magnus's post was over two years ago and it doesn't appear anything along
> these lines was done. Since then the current setup of 'host'/'hostssl' in
> pg_hba.conf and the client connect option 'requiressl' is pretty firmly
> engrained, so to keep compatibility I added 'hostnossl' to pg_hba and a
> 'nossl' option to the client library.
>
> Patch against PostgreSQL 7.2.3 is attached.
>
> Is this useful to others? If you'd like me to make some changes to make it
> acceptable, please let me know.
>
> Thanks,
> Jon
Content-Description:
[ Attachment, skipping... ]
Content-Description:
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
pgsql-patches by date: