> > I think I wasn't clear enough. :-) It can *already* be
> specified by any
> > client application as long as you use PQconnectdb(). For example:
> > PQconnectdb("dbname='foo' host='localhost' requiressl=1")
>
> I understand but this setting needs to be made available externally in
> some cases like psql and pg_dump and I was afraid of option letter
> inflation.
I was thinking we could use a "psql variable" in the case of psql, if we
wanted. For example:
psql -h localhost template1 -v "requiressl=1"
or something like that?
Oh, and it's still available by
PGREQUIRE_SSL=1 pgdump <whatever>
> Actually, isn't there a trichotomy here: 1. require SSL, 2. use SSL if
> available, 3. refuse SSL. The server side already handles all
> cases: 1 -
> "hostssl" in pg_hba.conf, 2 - `postmaster -l', 3 - default. The client
> side should perhaps also have these choices, not sure.
Good point. The reason for the client to not do SSL when both client and
server supports it could be performance, I guess.
Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being:
0 - Refuse SSL
1 - Negotiate, Prefer non-SSL
2 - Negotiate, Prefer SSL (default)
3 - Require SSL
Anything else you guys will need on this patch before it's fine? :-) No
rush, but just so I know what to work on...
//Magnus
