"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> How do people feel about changing matching for host and hostssl to be such that
> a plain host line in pg_hba.conf does not allow a SSL connection but requires
> the hostssl specifier?
Then there would be no way to have a host entry that allowed both ---
which, aside from being a loss of functionality, would doubtless break
existing setups.
I'd hold still for a "hostnossl" keyword, I guess, but I don't entirely
see the use for it.
If your real gripe is that libpq insists on trying SSL connections
first, the server is the wrong end to be patching that problem at.
There should be a way to control libpq's allow_ssl_try state variable
from the outside.
regards, tom lane