Thread: forcing SSL

forcing SSL

From
hehe88hk@yahoo.com.hk (Eric)
Date:
In order to ensure all user are making SSL connection to the database,
in the file pg_hba.conf, I change all the first columns into "hostssl"
such that there is neither "host" nor "local" left.

However, when I try to use a program written in Tcl to access the
database, even without the option "requiressl=1" for "pg_connect", the
program can still make connection to the database.

(With the option "requiressl=1" present for "pg_connect", my program
can also connect the database successfully)

May I know what the problem is and how to ensure incoming SSL
connection?

Thank you

Re: forcing SSL

From
Tom Lane
Date:
hehe88hk@yahoo.com.hk (Eric) writes:
> In order to ensure all user are making SSL connection to the database,
> in the file pg_hba.conf, I change all the first columns into "hostssl"
> such that there is neither "host" nor "local" left.

> However, when I try to use a program written in Tcl to access the
> database, even without the option "requiressl=1" for "pg_connect", the
> program can still make connection to the database.

Is this a local-Unix-socket connection?  We don't bother with SSL on
such connections.  There's no point --- the only way to eavesdrop on
a local connection is to have broken into your kernel, at which point
it's game over anyway.

            regards, tom lane

PS: it also occurs to me you might have forgotten to SIGHUP the
postmaster after editing pg_hba.conf...