On Tue, 10 Jun 2003, Nigel J. Andrews wrote:

> How do people feel about changing matching for host and hostssl to be such that
> a plain host line in pg_hba.conf does not allow a SSL connection but requires
> the hostssl specifier?

Nigel,

We had discussed overhauling the connection settings on both client and 
server to cover all needs, along these lines:

> Date: Tue, 7 Jan 2003 16:07:58 -0500 (EST)
> From: Bruce Momjian <[EMAIL PROTECTED]>
> To: Peter Eisentraut <[EMAIL PROTECTED]>
> Cc: Jon Jensen <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: Re: [PATCHES] Refuse SSL patchf
> 
> Peter Eisentraut wrote:
> > Bruce Momjian writes:
> > 
> > > > Tom thought that having conflicting REFUSESSL and REQUIRESSL directives
> > > > would be confusing, and since I dug up someone's old discussion in the
> > > > list archives of the four possible modes, we could move to that.
> > >
> > > Oh.  I find two params clearer than one with meaningless numbers.  :-)
> > 
> > But the numeric model provides four modes (refuse ssl, prefer no ssl,
> > prefer ssl, require ssl) whereas the refuse/require combination only
> > provides three modes (refuse ssl, require ssl, and one other depending on
> > how you define it when neither is set).  If you don't like numbers, make
> > them words.
> 
> OK, that works:
> 
>       require
>       prevent
>       prefer
>       noprefer
> 
> This allows us to subsume PGREQUIRE_SSL into the new variable.  Do we
> still need additional functionality in pg_hba.conf?  I am only asking if
> pushing these decisions out to the client makes sense?
> 
> For performance reasons, it is good to push this information out to the
> clients so the proper connection method is used the first time. 
> 
> However, for easier maintenance, we could have all of this in
> pg_hba.conf only, and have clients try SSL first, and fall back to
> non-SSL if the server doesn't want SSL.  It would require two new
> pg_hba.conf line types.  We have prefer-SSL (host) and SSL-only (ssl)
> now.
> 
>       require (ssl)
>       prevent (nossl)
>       prefer  (hostpreferssl)
>       noprefer(host)
> 
> This would change 'host' to not prefer SSL.

Unfortunately, I lived with my own local patch and forgot about making the
more general one these past five months.

This proposal would meet your needs, wouldn't it?

Jon

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to