On Mon, Apr 25, 2011 at 18:59, Robert Haas <robertmh...@gmail.com> wrote: > On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> A recent complaint in pgsql-novice revealed that if you have say >> >> hostssl all all 127.0.0.1/32 md5 >> clientcert=1 >> >> in pg_hba.conf, but you forget to enable SSL in postgresql.conf, >> you get something like this: >> >> LOG: client certificates can only be checked if a root certificate store is >> available >> HINT: Make sure the root.crt file is present and readable. >> CONTEXT: line 82 of configuration file >> "/home/tgl/version90/data/pg_hba.conf" >> LOG: client certificates can only be checked if a root certificate store is >> available >> HINT: Make sure the root.crt file is present and readable. >> CONTEXT: line 84 of configuration file >> "/home/tgl/version90/data/pg_hba.conf" >> FATAL: could not load pg_hba.conf >> >> Needless to say, this is pretty unhelpful, especially if you actually do >> have a root.crt file. >> >> I'm inclined to think that the correct fix is to make parse_hba_line, >> where it first realizes the line is "hostssl", check not only that SSL >> support is compiled but that it's turned on. Is it really sensible to >> allow hostssl lines in pg_hba.conf when SSL is turned off? At best >> they are no-ops, and at worst they're going to result in weird failures >> like this one. > > It's not clear to me what behavior you are proposing. Would we > disregard the hostssl line or treat it as an error?
It would absolutely have to be treat it as an error. another option would be to throw a more specific warning at that place, and keep the rest of the code the same. We can't *ignore* hostssl rows in ssl=off mode, that would be an easy way for an admin to set up a system they thought was secure but isn't... -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
