> > I also added the function sslinfo() to get information about the SSL
> > connection.
>
> That strikes me as a very bizarre way of doing things. Why not add an
> inquiry function to the libpq API, instead?
Well. I did it mostly so I wouldn't have to change the API :-)
But your points are very good :-) I'll add something to the frontend
library, remove the function, and send a new patch.
Peter wrote:
> Any chance we can get a `diff -cr' patch?
Sure, I'll do that next time. I just used the 'difforig' script that is
included in the backend. If this is not the preferred format of the patch,
maybe it shuold be updated?
> Btw., a while ago I was wondering about the postmaster `-l' option: I
> think it should be removed and the job should be done in pg_hba.conf
> alone. Instead I would like an option (possibly -l) that turns off SSL
> completely. Currently you can't even start the postmaster without the
> certificate files etc. (Some docs on how to do that would be nice as
> well.)
Hm. Yeah. It's actually handled at both stages right now. You can use the
"-l" option to reject *all* non-SSL INET connections at an early stage,
before even looknig at pg_hba.conf. But everything can be handled in
pg_hba.conf already.
I'll look at fixing that up as well :-)
> Btw.2: Where do you get the documenation? I have been looking for SSL API
> docs all over.
Actually, nowhere... I got it looking through other programs source when
developnig a "poor mans VPN" solution for work. Then I just took what I had
there and applied to postgresql. There is a serious lack of documentation of
that API...
//Magnus