Stephen Frost <sfrost@snowman.net> writes:
> * Chapman Flack (chap@anastigmatix.net) wrote:
>> If pg_hba syntax changes are being entertained, I would love to be able
>> to set ssl_min_protocol_version locally in a hostssl rule.
>> Some clients at $work are stuck with ancient SSL libraries, but I would
>> much rather be able to weaken ssl_min_protocol_version just for them
>> than do it globally.
> This (unlike what was actually proposed) does seem like it'd be a useful
> improvement. Not sure exaclty how it would work but I'm generally on
> board with the idea.
Seems like putting GUCs directly into pg_hba would be a mess. Would
it be enough to tell people to use ALTER ROLE/DATABASE SET for this,
and then fix things so that we recheck the protocol version (and
possibly bail out) after absorbing those settings?
I can think of objections to this:
* If you actually want to tie the restriction to source IP addresses,
rather than users or databases, this doesn't get the job done.
* The authentication cycle would be completed (or at least mostly
so) before we bail out; so if the concern is about packet-sniffing
or MITM attacks, maybe this would expose too much.
But it does have the advantage of being something it seems like
we could get done easily.
regards, tom lane
