Re: sslmode patch - Mailing list pgsql-patches
| From | Bruce Momjian |
|---|---|
| Subject | Re: sslmode patch |
| Date | |
| Msg-id | 200307261350.h6QDoG602897@candle.pha.pa.us Whole thread Raw |
| In response to | sslmode patch (Jon Jensen <jon@endpoint.com>) |
| List | pgsql-patches |
Newest patch applied. Thanks. --------------------------------------------------------------------------- Jon Jensen wrote: > Folks, > > At long last I put together a patch to support 4 client SSL negotiation > modes (and replace the requiressl boolean). The four options were first > spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email > to pgsql-hackers, archived here: > > http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php > > My original less-flexible patch and the ensuing thread are archived at: > > http://dbforums.com/t623845.html > > Attached is a new patch, including documentation. > > To sum up, there's a new client parameter "sslmode" and environment > variable "PGSSLMODE", with these options: > > sslmode description > ------- ----------- > disable Unencrypted non-SSL only > allow Negotiate, prefer non-SSL > prefer Negotiate, prefer SSL (default) > require Require SSL > > The only change to the server is a new pg_hba.conf line type, > "hostnossl", for specifying connections that are not allowed to use SSL > (for example, to prevent servers on a local network from accidentally > using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are: > > pg_hba.conf line types > ---------------------- > host applies to either SSL or regular connections > hostssl applies only to SSL connections > hostnossl applies only to regular connections > > These client and server options, the postgresql.conf ssl = false option, > and finally the possibility of compiling with no SSL support at all, > make quite a range of combinations to test. I threw together a test > script to try many of them out. It's in a separate tarball with its > config files, a patch to psql so it'll announce SSL connections even in > absence of a tty, and the test output. The test is especially informative > when run on the same tty the postmaster was started on, so the FATAL: > errors during negotiation are interleaved with the psql client output. > > I saw Tom write that new submissions for 7.4 have to be in before midnight > local time, and since I'm on the east coast in the US, this just makes it > in before the bell. :) > > Jon Content-Description: [ Attachment, skipping... ] Content-Description: [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
pgsql-patches by date: