Jon Jensen <jon@endpoint.com> writes:
> I haven't seen any previous mention of a similar patch, though I found the
> following idea proposed by Magnus Hagander which I like:
>> Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being:
>> 0 - Refuse SSL
>> 1 - Negotiate, Prefer non-SSL
>> 2 - Negotiate, Prefer SSL (default)
>> 3 - Require SSL
Hm, I like that better than two independent boolean vars (it's not
obvious which should override the other, or why); moreover it adds
more functionality (your approach does not provide a way to do mode 1).
For backwards compatibility, if PGSSLMODE is not set then you could look
for PGREQUIRE_SSL, and assume mode 3 (rather than the default 2) if
PGREQUIRE_SSL is set.
It might be better to use keywords or mnemonics of some kind in place of
these arbitrary numeric codes. No strong feeling about that.
> Is this useful to others? If you'd like me to make some changes to make it
> acceptable, please let me know.
Patches to the relevant documentation would be a minimum requirement.
(In looking at this, I observe the original patch neglected to document
the PGREQUIRE_SSL environment variable; don't emulate that bad example.)
regards, tom lane
