On Sun, Jul 17, 2016 at 10:07 PM, Christoph Berg <m...@debian.org> wrote:

> Re: Peter Eisentraut 2016-07-17 <
> d6b22200-0e65-d17e-b227-b63d81720...@2ndquadrant.com>
> > On 7/15/16 3:07 PM, Andrew Dunstan wrote:
> > > Do those packagers who install dummy certificates and turn SSL on also
> > > change their pg_hba.conf.sample files to use hostssl?. That could go a
> > > long way towards encouraging people.
> >
> > Debian, which I guess sort of started this, does not, but there are
> > allusions to it in the TODO list.
> I guess we should actually do that if we had any non-local(host)
> entries in there by default, but we don't touch the default
> pg_hba.conf from pg_createcluster.

What could actually be useful there is to explicitly put hostnossl on the
localhost entries. With the current defaults on the clients, that wouldn't
break anything, and it would leave people without the performance issues
that you run into in the default deployments. And for localhost it really
does't make sense to encrypt -- for the local LAN segment that can be
argued, but for localhost...

 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Reply via email to