On Wed, Aug 26, 2009 at 22:47, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> On Wed, Aug 26, 2009 at 15:57, Tom Lane<tgl@sss.pgh.pa.us> wrote:
>>> Magnus Hagander <magnus@hagander.net> writes:
>>>> But that will still fail if the user has set it up to require a client
>>>> certificate.
>>>
>>> But not till it gets to the pg_hba checks. =A0We might need to have some
>
>> How would that be different from what we have now? sslmode=3Dprefer will
>> still allow both ssl and non-ssl connection. It won't kick you out
>> until you reach the hba processing, will it?
>
> Hm, will it retry if the ssl setup step fails? =A0If so it'd be all right,
> but it's still a waste of cycles ...
Yes, that's the difference between prefer and require.
I think the main issue is that test_postmaster_connection() only
accepts two cases - successful login and password prompt. It would
have similar issues with say an ident mismatch, or loopback
connections configured for kerberos.
--=20
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
