Hi all Another thing I keep on wishing Pg's protocol had is an after-connection negotiation for transport encryption, like STARTTLS .
Right now, the client has to guess if the server requires, permits, or rejects SSL, and decide whether to start with SSL or !SSL. If that fails, it has to try the other one. The way it's managed in pg_hba.conf means that users usually just get confusing errors like: FATAL: no pg_hba.conf entry for host "192.168.0.1", user "postgres", database "whatever", SSL off without the client app being given the opportunity to be told by the server "Please upgrade to transport level security before proceeding". I like how IMAP does it, where the server announces its capabilities. Reasonable to aim for in a protocol v4? -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
