[COMMITTERS] pgsql-server/ oc/src/sgml/client-auth.sgml oc/ ...

Sat, 26 Jul 2003 06:48:25 -0700 

CVSROOT:        /cvsroot
Module name:    pgsql-server
Changes by:     [EMAIL PROTECTED]       03/07/26 10:50:02

Modified files:
        doc/src/sgml   : client-auth.sgml libpq.sgml 
        src/backend/libpq: auth.c hba.c 
        src/interfaces/libpq: fe-connect.c libpq-int.h 

Log message:
        At long last I put together a patch to support 4 client SSL negotiation
        modes (and replace the requiressl boolean). The four options were first
        spelled out by Magnus Hagander <[EMAIL PROTECTED]> on 2000-08-23 in email
        to pgsql-hackers, archived here:
        
        http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
        
        My original less-flexible patch and the ensuing thread are archived at:
        
        http://dbforums.com/t623845.html
        
        Attached is a new patch, including documentation.
        
        To sum up, there's a new client parameter "sslmode" and environment
        variable "PGSSLMODE", with these options:
        
        sslmode   description
        -------   -----------
        disable   Unencrypted non-SSL only
        allow     Negotiate, prefer non-SSL
        prefer    Negotiate, prefer SSL (default)
        require   Require SSL
        
        The only change to the server is a new pg_hba.conf line type,
        "hostnossl", for specifying connections that are not allowed to use SSL
        (for example, to prevent servers on a local network from accidentally
        using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
        
        pg_hba.conf line types
        ----------------------
        host       applies to either SSL or regular connections
        hostssl    applies only to SSL connections
        hostnossl  applies only to regular connections
        
        These client and server options, the postgresql.conf ssl = false option,
        and finally the possibility of compiling with no SSL support at all,
        make quite a range of combinations to test. I threw together a test
        script to try many of them out. It's in a separate tarball with its
        config files, a patch to psql so it'll announce SSL connections even in
        absence of a tty, and the test output. The test is especially informative
        when run on the same tty the postmaster was started on, so the FATAL:
        errors during negotiation are interleaved with the psql client output.
        
        I saw Tom write that new submissions for 7.4 have to be in before midnight
        local time, and since I'm on the east coast in the US, this just makes it
        in before the bell. :)
        
        Jon Jensen


---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Reply via email to