Postgres Pro
Downloads
Home   >   mailing lists

Re: Refuse SSL patch - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: Refuse SSL patch
Date
Msg-id 200301071701.h07H1mR21809@candle.pha.pa.us
Whole thread Raw
In response to Re: Refuse SSL patch  (Jon Jensen <jon@endpoint.com>)
Responses Re: Refuse SSL patch  (Jon Jensen <jon@endpoint.com>)
List pgsql-patches
Tree view 
Jon Jensen wrote:
> > But doesn't pg_hba.conf do that already, in that you say 'host' for the
> > local ip, but ssl for the remote ip's?
>
> The proposed SSLMODE is a client-side configuration option to supercede
> REQUIRESSL, which is also a client configuration option. Here's the
> problem:
>
> 1. The client always tries to connect via SSL if SSL support was compiled
> in. There is no way to change this presently.
> 2. If the server can do SSL *at all*, it negotiates an SSL connection with
> the client.

Oh, that is a key thing I didn't know.  Seems we should just add a libpq
PREVENTSSL option and be done with it.  Seems clearer than numbers, and
hits the most useful functionality.  If they set REQUIRESSL and
PREVENTSSL, we throw an error.

Right now, if they set 'host' in pg_hba.conf, and the client knows SSL,
we use it.  Your idea had the additional functionality of preferring
non-SSL if the server knew SSL but had 'host' in pg_hba.conf.

> But on the other hand, we want some control on the server as well -- we
> may want to disallow SSL connections from a certain IP address, if nothing
> else just to make sure a client doesn't accidentally use SSL over the
> local network because someone forgets not to use it. Otherwise we could be
> accidentally using SSL on the local network and killing performance. So I
> added a 'hostnossl' option to pg_hba.conf, which will allow only non-SSL
> connections from certain IP addresses.

Perhaps your idea of 'hostnossl' in pg_hba.conf is a good one.  That
way, both client and server would have the ability to say never or only
SSL. It allows more central control.

So, in negotiation, that only leaves open the question of what happens
when none of those are set, and it seems we prefer SSL in such cases.
Is that the correct default?

In fact, once we have 'hostnossl' why do we need PREVENTSSL in libpq?

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

pgsql-patches by date:

Previous
From: Jon Jensen
Date:
Subject: Re: Refuse SSL patch
Next
From: Jon Jensen
Date:
Subject: Re: Refuse SSL patch