Here's what I want to do:
1) I want one of my web servers to be able to connect to the database without the overhead of SSL (it connects as an unprivileged user who just does SELECTs).
2) I want to allow connections from another machine -- also a web server -- ONLY if they're encrypted with SSL (users with the ability to INSERT/UPDATE will be connecting with passwords via a web/db interface hosted on this machine).
It seems to me that I can't do both. If I turn on the 'ssl=true' option in $PGDATA/postgresql.conf, then connections from psql at least are _always_ encrypted, no matter what's in pg_hba.conf.
For the record, here's what's in pg_hba.conf (notably, there's no hostssl entry):
local all all trust host all all 127.0.0.1 255.255.255.255 trust
And here's what happens when I connect with psql:
[economex] charlie/$ psql -h 127.0.0.1 template1 Welcome to psql 7.3.1, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quitSSL connection (cipher: EDH-RSA-DES-CBC3-SHA, bits: 168)
template1=> \q
... which looks encrypted to me.
Am I right in interpreting this to mean that I either have to use SSL all the time or none of the time? I'm especially tempted to believe this might be the case after seeing this item in the "Clients" section of http://developer.postgresql.org/todo.php:
- Allow SSL-enabled clients to turn off SSL transfers
Does that mean that, if SSL is enabled for the postmaster, the client will always be forced to use SSL? Or is there something I need to do to force the client to NOT use SSL?
Thanks, Charlie
---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
