Refuse SSL patch - Mailing list pgsql-patches

From Jon Jensen
Subject Refuse SSL patch
Date
Msg-id Pine.LNX.4.50.0212091740550.1299-300000@louche.swelter.net
Whole thread Raw
Responses Re: Refuse SSL patch
Re: Refuse SSL patch
List pgsql-patches
PostgreSQL hackers,

This patch allows the PostgreSQL server to refuse SSL connections
selectively, and the clients to not initiate SSL connections.

The point is for me to be able to choose non-SSL connections over SSL,
even when SSL is available, for maximum performance. I've got a PostgreSQL
server that has a separate private network link to an application server,
and I want database connections there to always be non-SSL for speed. But
I also connect to the same PostgreSQL instance from a remote site, and
always want that connection to be SSL only for security.

I haven't seen any previous mention of a similar patch, though I found the
following idea proposed by Magnus Hagander which I like:

> Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being:
> 0 - Refuse SSL
> 1 - Negotiate, Prefer non-SSL
> 2 - Negotiate, Prefer SSL (default)
> 3 - Require SSL

http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php

He also notes the desire to be able to disable SSL for speed.

Magnus's post was over two years ago and it doesn't appear anything along
these lines was done. Since then the current setup of 'host'/'hostssl' in
pg_hba.conf and the client connect option 'requiressl' is pretty firmly
engrained, so to keep compatibility I added 'hostnossl' to pg_hba and a
'nossl' option to the client library.

Patch against PostgreSQL 7.2.3 is attached.

Is this useful to others? If you'd like me to make some changes to make it
acceptable, please let me know.

Thanks,
Jon

Attachment

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Alter Domain fixes
Next
From: "Christoph Zwerschke"
Date:
Subject: PyGreSQL, suggestion for DB wrapper class