On Tue, 10 Jun 2003, Tom Lane wrote:
> "Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> > How do people feel about changing matching for host and hostssl to be such that
> > a plain host line in pg_hba.conf does not allow a SSL connection but requires
> > the hostssl specifier?
>
> Then there would be no way to have a host entry that allowed both ---
> which, aside from being a loss of functionality, would doubtless break
> existing setups.
Well, what I was thinking of would have allowed it, just using two entries, a
host one and a hostssl one.
> I'd hold still for a "hostnossl" keyword, I guess, but I don't entirely
> see the use for it.
Well Jon Jenson's posted something else on this which I should read when I've
got my mind more in tune with it.
> If your real gripe is that libpq insists on trying SSL connections
> first, the server is the wrong end to be patching that problem at.
> There should be a way to control libpq's allow_ssl_try state variable
> from the outside.
A quick read makes me think that's what Jon's post is on about.
--
Nigel Andrews