> Peter Eisentraut <peter_e@gmx.net> writes:
> > Tom Lane writes:
> >> We already have the ability to work with an externally provided SSL
> >> library.
>
> > Does it actually work? Has anybody tried it? Is it
> documented anywhere?
>
> Picky, picky ;-)
Well, since I'm responsible for putting the stuff in, I shuold probably have
tested it before we got this far into the beta. But I haven't had the time
:-(
It worked fine right after it was introduced, I tried that :-) But the
machine I have it running on is still running that old version (you can tell
it's not a heavily used machine right now).
If there's any major breakage it's probably too late to go messing around in
it before 7.0. I'll try to check it out and fix anything that's broken
before 7.0.1.
> It looks like you compile with USE_SSL (which ought to be listed as an
> available option in config.h.in, but isn't; someday it should be a
> configure option, perhaps) and then add "-l" to the
> postmaster switches.
> At least "-l" is documented.
:-)
> There are some interactions between
> SSL-client-and-non-SSL-server, etc,
> which you can read about in the pghackers archives from last year, if
> not in the docs.
I don't think it ever made it into the docs. Probably because I never
cleaned it up enough. I have a draft around somewhere, I think.
> Also, I thought there was supposed to be a
> postmaster option to refuse non-SSL connections, but I don't see it now...
There was. :-)
At least in my patch, if you specify "-is", it will run as
"SecureNetServer", which shuold refuse any non-SSL INET connections. It will
drop non-SSL connections with the error "Backend requires secure
connection."
But it seems this is replaced with "-l" now.
Seems like:
-i means listen on standard *AND* SSL if compiled with SSL.
-l means listen on SSL only (fail if SSL not compiled in).
You can also specify in pg_hba with "hostssl" instead of "host".
//Magnus
