Bruce Momjian wrote:
> > would impose a noticeable connection initiation overhead on everyone's
> > Unix-domain socket uses. You could make it use SSL in require mode, but
> > it seems weird that prefer mode would end up doing something different
> > than require mode.
> >
> > Maybe Magnus has an opinion on how we could make this fit into the new
> > scheme of things. I assume since we require certificates to be set up
> > now, SSL will by default be off and so using it over Unix-domain sockets
> > when enabled would not be in the common path, which was the objection
> > previously.
>
> Yep, the problem is that sslmode doesn't have any way to specify if we
> want unix domain sockets to behave differently from tcp sockets, and our
> default for sslmode makes that even worse.
I have added the following documentation patch to mention that 'sslmode'
is ignored for unix domain sockets; backpatched to 8.3.X.
--
Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/libpq.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v
retrieving revision 1.266
diff -c -c -r1.266 libpq.sgml
*** doc/src/sgml/libpq.sgml 27 Oct 2008 09:42:31 -0000 1.266
--- doc/src/sgml/libpq.sgml 4 Nov 2008 22:33:49 -0000
***************
*** 233,240 ****
<term><literal>sslmode</literal></term>
<listitem>
<para>
! This option determines whether or with what priority an
! <acronym>SSL</> connection will be negotiated with the
server. There are four modes: <literal>disable</> will attempt
only an unencrypted <acronym>SSL</> connection;
<literal>allow</> will negotiate, trying first a
--- 233,240 ----
<term><literal>sslmode</literal></term>
<listitem>
<para>
! This option determines whether or with what priority a
! <acronym>SSL</> TCP/IP connection will be negotiated with the
server. There are four modes: <literal>disable</> will attempt
only an unencrypted <acronym>SSL</> connection;
<literal>allow</> will negotiate, trying first a
***************
*** 243,249 ****
will negotiate, trying first an <acronym>SSL</> connection,
then if that fails, trying a regular non-<acronym>SSL</>
connection; <literal>require</> will try only an
! <acronym>SSL</> connection.
</para>
<para>
--- 243,250 ----
will negotiate, trying first an <acronym>SSL</> connection,
then if that fails, trying a regular non-<acronym>SSL</>
connection; <literal>require</> will try only an
! <acronym>SSL</> connection. <literal>sslmode</> is ignored
! for Unix domain socket communication.
</para>
<para>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
