Postgres Pro
Downloads
Home   >   mailing lists

Thread: pgsql-server/ oc/src/sgml/client-auth.sgml oc/ ...

pgsql-server/ oc/src/sgml/client-auth.sgml oc/ ...

From
momjian@svr1.postgresql.org (Bruce Momjian)
Date:
CVSROOT:    /cvsroot
Module name:    pgsql-server
Changes by:    momjian@svr1.postgresql.org    03/07/26 10:50:02

Modified files:
    doc/src/sgml   : client-auth.sgml libpq.sgml
    src/backend/libpq: auth.c hba.c
    src/interfaces/libpq: fe-connect.c libpq-int.h

Log message:
    At long last I put together a patch to support 4 client SSL negotiation
    modes (and replace the requiressl boolean). The four options were first
    spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
    to pgsql-hackers, archived here:

    http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php

    My original less-flexible patch and the ensuing thread are archived at:

    http://dbforums.com/t623845.html

    Attached is a new patch, including documentation.

    To sum up, there's a new client parameter "sslmode" and environment
    variable "PGSSLMODE", with these options:

    sslmode   description
    -------   -----------
    disable   Unencrypted non-SSL only
    allow     Negotiate, prefer non-SSL
    prefer    Negotiate, prefer SSL (default)
    require   Require SSL

    The only change to the server is a new pg_hba.conf line type,
    "hostnossl", for specifying connections that are not allowed to use SSL
    (for example, to prevent servers on a local network from accidentally
    using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:

    pg_hba.conf line types
    ----------------------
    host       applies to either SSL or regular connections
    hostssl    applies only to SSL connections
    hostnossl  applies only to regular connections

    These client and server options, the postgresql.conf ssl = false option,
    and finally the possibility of compiling with no SSL support at all,
    make quite a range of combinations to test. I threw together a test
    script to try many of them out. It's in a separate tarball with its
    config files, a patch to psql so it'll announce SSL connections even in
    absence of a tty, and the test output. The test is especially informative
    when run on the same tty the postmaster was started on, so the FATAL:
    errors during negotiation are interleaved with the psql client output.

    I saw Tom write that new submissions for 7.4 have to be in before midnight
    local time, and since I'm on the east coast in the US, this just makes it
    in before the bell. :)

    Jon Jensen