PostgreSQL hackers,
This patch allows the PostgreSQL server to refuse SSL connections
selectively, and the clients to not initiate SSL connections.
The point is for me to be able to choose non-SSL connections over SSL,
even when SSL is available, for maximum performance. I've got a PostgreSQL
server that has a separate private network link to an application server,
and I want database connections there to always be non-SSL for speed. But
I also connect to the same PostgreSQL instance from a remote site, and
always want that connection to be SSL only for security.
I haven't seen any previous mention of a similar patch, though I found the
following idea proposed by Magnus Hagander which I like:
> Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being:
> 0 - Refuse SSL
> 1 - Negotiate, Prefer non-SSL
> 2 - Negotiate, Prefer SSL (default)
> 3 - Require SSL
http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
He also notes the desire to be able to disable SSL for speed.
Magnus's post was over two years ago and it doesn't appear anything along
these lines was done. Since then the current setup of 'host'/'hostssl' in
pg_hba.conf and the client connect option 'requiressl' is pretty firmly
engrained, so to keep compatibility I added 'hostnossl' to pg_hba and a
'nossl' option to the client library.
Patch against PostgreSQL 7.2.3 is attached.
Is this useful to others? If you'd like me to make some changes to make it
acceptable, please let me know.
Thanks,
Jon
