On 9/2/15 7:15 PM, Andres Freund wrote: >> Add a regression test suite for SSL support. >> >> It's not run by the global "check" or "installcheck" targets, because the >> temporary installation it creates accepts TCP connections from any user >> the same host, which is insecure. > > We could just implement SSL over unix sockets. Obviously the > connection-encryption aspect isn't actually useful, but e.g. client > certs still make sense. Besides, it allows to avoid concerns like the > above...
See old discussion here: http://www.postgresql.org/message-id/49ca2524.5010...@gmx.net At the time, we didn't have this test suite, obviously, so the utility would be have been limited, but now it looks quite interesting. The only trick, as I remember, was that clients tend to prefer SSL automatically, which we probably don't want for Unix-domain sockets, so we'd need to tweak those settings a bit. The "old patch" referred to in that old thread wasn't actually attached, so here it is, for amusement.
diff -ur ../cvs-pgsql/src/backend/postmaster/postmaster.c ./src/backend/postmaster/postmaster.c --- ../cvs-pgsql/src/backend/postmaster/postmaster.c 2008-01-04 15:55:25.000000000 +0100 +++ ./src/backend/postmaster/postmaster.c 2008-01-04 16:44:35.000000000 +0100 @@ -1448,8 +1448,8 @@ char SSLok; #ifdef USE_SSL - /* No SSL when disabled or on Unix sockets */ - if (!EnableSSL || IS_AF_UNIX(port->laddr.addr.ss_family)) + /* No SSL when disabled */ + if (!EnableSSL) SSLok = 'N'; else SSLok = 'S'; /* Support for SSL */ diff -ur ../cvs-pgsql/src/interfaces/libpq/fe-connect.c ./src/interfaces/libpq/fe-connect.c --- ../cvs-pgsql/src/interfaces/libpq/fe-connect.c 2008-01-04 15:55:31.000000000 +0100 +++ ./src/interfaces/libpq/fe-connect.c 2008-01-04 16:51:09.000000000 +0100 @@ -1261,11 +1261,6 @@ * If SSL is enabled and we haven't already got it running, * request it instead of sending the startup message. */ - if (IS_AF_UNIX(conn->raddr.addr.ss_family)) - { - /* Don't bother requesting SSL over a Unix socket */ - conn->allow_ssl_try = false; - } if (conn->allow_ssl_try && !conn->wait_ssl_try && conn->ssl == NULL) {
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers