Re: Refuse SSL patch - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: Refuse SSL patch
Date
Msg-id 200301071547.h07FlgK10329@candle.pha.pa.us
Whole thread Raw
In response to Re: Refuse SSL patch  (Jon Jensen <jon@endpoint.com>)
Responses Re: Refuse SSL patch  (Jon Jensen <jon@endpoint.com>)
List pgsql-patches
Jon Jensen wrote:
> > I don't think overloading REQUIRE to mean something else is really the
> > way to go.  Looking at your options, we have:
> >
> > > > 0 - Refuse SSL
> >
> > Hard to imagine why someone would pick this one.
>
> But this is the exact reason I started my patch -- I need a server that
> can do SSL to allow *only* SSL connections to an off-site IP address, but
> *only* non-SSL connections to an internal IP address on a private network.
> Speed would suffer greatly if I were to allow SSL connections internally,
> but security would suffer if I disabled all SSL connections.

But doesn't pg_hba.conf do that already, in that you say 'host' for the
local ip, but ssl for the remote ip's?

The only value I see to the existing REQUIRESSL is to say "I am a client
and only want to do SSL", and in that case you can use the services file
to use the same binary on different hosts, and control whether you want
that host to require SSL or not.  It doesn't make the switching based on
who the host is connecting to, but your proposal doesn't do that either.

I have to say I am just still confused over this.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

pgsql-patches by date:

Previous
From: Jon Jensen
Date:
Subject: Re: Refuse SSL patch
Next
From: Jon Jensen
Date:
Subject: Re: Refuse SSL patch