On Tue, 7 Jan 2003, Bruce Momjian wrote:
> Jon Jensen wrote:
> > > I don't think overloading REQUIRE to mean something else is really the
> > > way to go. Looking at your options, we have:
> > >
> > > > > 0 - Refuse SSL
> > >
> > > Hard to imagine why someone would pick this one.
> >
> > But this is the exact reason I started my patch -- I need a server that
> > can do SSL to allow *only* SSL connections to an off-site IP address, but
> > *only* non-SSL connections to an internal IP address on a private network.
> > Speed would suffer greatly if I were to allow SSL connections internally,
> > but security would suffer if I disabled all SSL connections.
>
> But doesn't pg_hba.conf do that already, in that you say 'host' for the
> local ip, but ssl for the remote ip's?
The proposed SSLMODE is a client-side configuration option to supercede
REQUIRESSL, which is also a client configuration option. Here's the
problem:
1. The client always tries to connect via SSL if SSL support was compiled
in. There is no way to change this presently.
2. If the server can do SSL *at all*, it negotiates an SSL connection with
the client.
3. End of story -- we have an SSL connection when I don't want one. The
only way around it is to have the server have no SSL support at all.
So it's a client problem. The client needs to be configured to not try an
SSL connection at all, when I don't want it to. Hence SSLMODE=0, which
means forbid SSL.
But on the other hand, we want some control on the server as well -- we
may want to disallow SSL connections from a certain IP address, if nothing
else just to make sure a client doesn't accidentally use SSL over the
local network because someone forgets not to use it. Otherwise we could be
accidentally using SSL on the local network and killing performance. So I
added a 'hostnossl' option to pg_hba.conf, which will allow only non-SSL
connections from certain IP addresses.
Only the client changes are really necessary for my setup to work, but the
server change allows me to guarantee that other developers don't
accidentally connect via SSL when it's not wanted.
Does that make more sense?
Jon