Re: Refuse SSL patch - Mailing list pgsql-patches
From | Bruce Momjian |
---|---|
Subject | Re: Refuse SSL patch |
Date | |
Msg-id | 200301070700.h0770MC26102@candle.pha.pa.us Whole thread Raw |
In response to | Refuse SSL patch (Jon Jensen <jon@endpoint.com>) |
Responses |
Re: Refuse SSL patch
(Jon Jensen <jon@endpoint.com>)
|
List | pgsql-patches |
Jon, I just documented the service/PGSERVICE capability in the CVS tree. It allows a pg_service.conf file that controls additional libpq connection options. In your app, you just do: connectdb("service=conn1") and "conn1" is looked up in pg_service.conf and it gets its other connection parameters from there. The code is already in 7.3. I just documented it, and changed auto-dbname setting to be active only when they don't specify a dbname. Also, I created a sample file called pg_service.conf.sample. This may provide a better way for you to control SSL rather than changing PGREQUIRE_SSL, which was also recently documented in the CVS tree. I don't think overloading REQUIRE to mean something else is really the way to go. Looking at your options, we have: > > 0 - Refuse SSL Hard to imagine why someone would pick this one. > > 1 - Negotiate, Prefer non-SSL This is the only new valid one. My question is why you would specify ssl on the host if you don't need ssl? > > 2 - Negotiate, Prefer SSL (default) Already the default for no requiressl. > > 3 - Require SSL Already requiressl. If the problem is that some apps need requiressl and others don't, I think the service file may be your cleanest option. --------------------------------------------------------------------------- Jon Jensen wrote: > PostgreSQL hackers, > > This patch allows the PostgreSQL server to refuse SSL connections > selectively, and the clients to not initiate SSL connections. > > The point is for me to be able to choose non-SSL connections over SSL, > even when SSL is available, for maximum performance. I've got a PostgreSQL > server that has a separate private network link to an application server, > and I want database connections there to always be non-SSL for speed. But > I also connect to the same PostgreSQL instance from a remote site, and > always want that connection to be SSL only for security. > > I haven't seen any previous mention of a similar patch, though I found the > following idea proposed by Magnus Hagander which I like: > > > Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being: > > 0 - Refuse SSL > > 1 - Negotiate, Prefer non-SSL > > 2 - Negotiate, Prefer SSL (default) > > 3 - Require SSL > > http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php > > He also notes the desire to be able to disable SSL for speed. > > Magnus's post was over two years ago and it doesn't appear anything along > these lines was done. Since then the current setup of 'host'/'hostssl' in > pg_hba.conf and the client connect option 'requiressl' is pretty firmly > engrained, so to keep compatibility I added 'hostnossl' to pg_hba and a > 'nossl' option to the client library. > > Patch against PostgreSQL 7.2.3 is attached. > > Is this useful to others? If you'd like me to make some changes to make it > acceptable, please let me know. > > Thanks, > Jon Content-Description: [ Attachment, skipping... ] Content-Description: [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
pgsql-patches by date: