On Wed, Sep 3, 2014 at 12:17 PM, Craig Ringer <cr...@2ndquadrant.com> wrote: > Hi all > > Another thing I keep on wishing Pg's protocol had is an after-connection > negotiation for transport encryption, like STARTTLS . > > Right now, the client has to guess if the server requires, permits, or > rejects SSL, and decide whether to start with SSL or !SSL. If that > fails, it has to try the other one. > > The way it's managed in pg_hba.conf means that users usually just get > confusing errors like: > > FATAL: no pg_hba.conf entry for host "192.168.0.1", user "postgres", > database "whatever", SSL off > > without the client app being given the opportunity to be told by the > server "Please upgrade to transport level security before proceeding". > > I like how IMAP does it, where the server announces its capabilities. > > Reasonable to aim for in a protocol v4?
Yeah, it definitely does I think. Should be in the form of some more generic "capabilities negotiation" though, even if we only have SSL to begin with. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
