On Mon, Apr 29, 2024 at 4:38 AM Heikki Linnakangas <hlinn...@iki.fi> wrote: > Making requiredirect to imply sslmode=require, or error out unless you > also set sslmode=require, feels like a cavalier way of forcing SSL. We > should have a serious discussion on making sslmode=require the default > instead. That would be a more direct way of nudging people to use SSL. > It would cause a lot of breakage, but it would also be a big improvement > to security. > > Consider how sslnegotiation=requiredirect/directonly would feel, if we > made sslmode=require the default. If you explicitly set "sslmode=prefer" > or "sslmode=disable", it would be annoying if you would also need to > remove "sslnegotiation=requiredirect" from your connection string.
I think making sslmode=require the default is pretty unworkable, unless we also had a way of automatically setting up SSL as part of initdb or something. Otherwise, we'd have to add sslmode=disable to a million places just to get the regression tests to work, and every test cluster anyone spins up locally would break in annoying ways, too. I had been thinking we might want to change the default to sslmode=disable and remove allow and prefer, but maybe automating a basic SSL setup is better. Either way, we should move toward a world where you either ask for SSL and get it, or don't ask for it and don't get it. Being halfway in between is bad. -- Robert Haas EDB: http://www.enterprisedb.com
