Re: Refuse SSL patch - Mailing list pgsql-patches
| From | Jon Jensen |
|---|---|
| Subject | Re: Refuse SSL patch |
| Date | |
| Msg-id | Pine.LNX.4.50.0301071555090.19672-100000@louche.swelter.net Whole thread Raw |
| In response to | Re: Refuse SSL patch (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Responses |
Re: Refuse SSL patch
(Bruno Wolff III <bruno@wolff.to>)
Re: Refuse SSL patch (Bruce Momjian <pgman@candle.pha.pa.us>) |
| List | pgsql-patches |
On Tue, 7 Jan 2003, Bruce Momjian wrote: > Jon Jensen wrote: > > > I don't think overloading REQUIRE to mean something else is really the > > > way to go. Looking at your options, we have: > > > > > > > > 0 - Refuse SSL > > > > > > Hard to imagine why someone would pick this one. > > > > But this is the exact reason I started my patch -- I need a server that > > can do SSL to allow *only* SSL connections to an off-site IP address, but > > *only* non-SSL connections to an internal IP address on a private network. > > Speed would suffer greatly if I were to allow SSL connections internally, > > but security would suffer if I disabled all SSL connections. > > But doesn't pg_hba.conf do that already, in that you say 'host' for the > local ip, but ssl for the remote ip's? The proposed SSLMODE is a client-side configuration option to supercede REQUIRESSL, which is also a client configuration option. Here's the problem: 1. The client always tries to connect via SSL if SSL support was compiled in. There is no way to change this presently. 2. If the server can do SSL *at all*, it negotiates an SSL connection with the client. 3. End of story -- we have an SSL connection when I don't want one. The only way around it is to have the server have no SSL support at all. So it's a client problem. The client needs to be configured to not try an SSL connection at all, when I don't want it to. Hence SSLMODE=0, which means forbid SSL. But on the other hand, we want some control on the server as well -- we may want to disallow SSL connections from a certain IP address, if nothing else just to make sure a client doesn't accidentally use SSL over the local network because someone forgets not to use it. Otherwise we could be accidentally using SSL on the local network and killing performance. So I added a 'hostnossl' option to pg_hba.conf, which will allow only non-SSL connections from certain IP addresses. Only the client changes are really necessary for my setup to work, but the server change allows me to guarantee that other developers don't accidentally connect via SSL when it's not wanted. Does that make more sense? Jon
pgsql-patches by date: