On Mon, May 30, 2011 at 20:39, Tom Lane wrote:
> Magnus Hagander writes:
>> On Fri, May 13, 2011 at 00:21, Tom Lane wrote:
>>> Magnus Hagander writes:
On Tue, May 10, 2011 at 05:39, Tom Lane wrote:
> I wouldn't have a problem with making the Windows port throw an error
> for "loca
Magnus Hagander writes:
> On Fri, May 13, 2011 at 00:21, Tom Lane wrote:
>> Magnus Hagander writes:
>>> On Tue, May 10, 2011 at 05:39, Tom Lane wrote:
I wouldn't have a problem with making the Windows port throw an error
for "local" lines. We'd have to fix initdb to remove that line f
On Fri, May 13, 2011 at 00:21, Tom Lane wrote:
> Magnus Hagander writes:
>> On Tue, May 10, 2011 at 05:39, Tom Lane wrote:
>>> I wouldn't have a problem with making the Windows port throw an error
>>> for "local" lines. We'd have to fix initdb to remove that line from the
>>> sample file (if it
On Fri, May 13, 2011 at 00:21, Tom Lane wrote:
> Magnus Hagander writes:
>> On Tue, May 10, 2011 at 05:39, Tom Lane wrote:
>>> I wouldn't have a problem with making the Windows port throw an error
>>> for "local" lines. We'd have to fix initdb to remove that line from the
>>> sample file (if it
Magnus Hagander writes:
> On Tue, May 10, 2011 at 05:39, Tom Lane wrote:
>> I wouldn't have a problem with making the Windows port throw an error
>> for "local" lines. We'd have to fix initdb to remove that line from the
>> sample file (if it doesn't already), but that's surely not hard.
> It d
On Tue, May 10, 2011 at 05:39, Tom Lane wrote:
> Bruce Momjian writes:
>> Late reply, but we are basically ignoring 'local' lines if the build
>> doesn't support unix domain sockets (windows), but throwing an error for
>> hostssl usage if ssl is not compiled in. Is the only logic here that
>> 'l
Bruce Momjian writes:
> Late reply, but we are basically ignoring 'local' lines if the build
> doesn't support unix domain sockets (windows), but throwing an error for
> hostssl usage if ssl is not compiled in. Is the only logic here that
> 'local' is part of the default pg_hba.conf and hostssl i
Tom Lane wrote:
> Peter Eisentraut writes:
> > On m??n, 2011-04-25 at 14:18 -0400, Tom Lane wrote:
> >> In the particular case at hand, if someone is trying to use the same
> >> hostssl-containing pg_hba.conf across multiple systems, is it not
> >> reasonable to suppose that he should have SSL tur
Peter Eisentraut writes:
> On mån, 2011-04-25 at 19:18 -0400, Tom Lane wrote:
>> Hm, does that mean we have consensus on treating it as an error?
> Regarding the patch you committed: I would avoid hardcoding
> "postgresql.conf" in error or hint messages, since we don't know whether
> that's the
On mån, 2011-04-25 at 19:18 -0400, Tom Lane wrote:
> Hm, does that mean we have consensus on treating it as an error?
Regarding the patch you committed: I would avoid hardcoding
"postgresql.conf" in error or hint messages, since we don't know whether
that's the actual name of the file. No other m
On 04/25/2011 07:18 PM, Tom Lane wrote:
Peter Eisentraut writes:
On mån, 2011-04-25 at 15:26 -0400, Tom Lane wrote:
Well, it's not just to be "helpful", it's to close off code paths that
are never going to be sufficiently well-tested to not have bizarre
failure modes. That helps both devel
Peter Eisentraut writes:
> On mån, 2011-04-25 at 15:26 -0400, Tom Lane wrote:
>> Well, it's not just to be "helpful", it's to close off code paths that
>> are never going to be sufficiently well-tested to not have bizarre
>> failure modes. That helps both developers (who don't have to worry
>> a
On mån, 2011-04-25 at 15:26 -0400, Tom Lane wrote:
> Well, it's not just to be "helpful", it's to close off code paths that
> are never going to be sufficiently well-tested to not have bizarre
> failure modes. That helps both developers (who don't have to worry
> about testing/fixing such code pat
Peter Eisentraut writes:
> On mån, 2011-04-25 at 14:18 -0400, Tom Lane wrote:
>> In the particular case at hand, if someone is trying to use the same
>> hostssl-containing pg_hba.conf across multiple systems, is it not
>> reasonable to suppose that he should have SSL turned on in
>> postgresql.co
On mån, 2011-04-25 at 14:18 -0400, Tom Lane wrote:
> In the particular case at hand, if someone is trying to use the same
> hostssl-containing pg_hba.conf across multiple systems, is it not
> reasonable to suppose that he should have SSL turned on in
> postgresql.conf on all those systems? If he d
Peter Eisentraut writes:
> On mån, 2011-04-25 at 13:11 -0400, Tom Lane wrote:
>> Or we could go in the direction of making hostssl lines be a silent
>> no-op in both cases, but that doesn't seem like especially
>> user-friendly design to me. We don't treat any other cases in
>> pg_hba.conf compa
On mån, 2011-04-25 at 19:12 +0200, Magnus Hagander wrote:
> We need to be very careful about ignoring *anything* in pg_hba.conf,
> since it's security configuration. Doing it silently is even worse.
You're not really "ignoring" anything. It's just not going to be a
match.
--
Sent via pgsql-hac
On mån, 2011-04-25 at 13:11 -0400, Tom Lane wrote:
> Or we could go in the direction of making hostssl lines be a silent
> no-op in both cases, but that doesn't seem like especially
> user-friendly design to me. We don't treat any other cases in
> pg_hba.conf comparably AFAIR.
We ignore "local" e
Magnus Hagander writes:
> On Mon, Apr 25, 2011 at 19:38, Tom Lane wrote:
>> While I'm looking at this, I notice that here (and in some other places
>> in pg_hba.conf) we say "not supported on this platform" which seems
>> rather bogus to me. It implies that it's not possible to have SSL
>> suppo
On Mon, Apr 25, 2011 at 19:38, Tom Lane wrote:
> Magnus Hagander writes:
>> Yeah, better make any misconfiguration very clear - let's throw an error.
>
> OK, so we need something like (untested)
>
> if (token[4] == 's') /* "hostssl" */
> {
> #ifdef USE_SSL
> + if (!
Magnus Hagander writes:
> Yeah, better make any misconfiguration very clear - let's throw an error.
OK, so we need something like (untested)
if (token[4] == 's')/* "hostssl" */
{
#ifdef USE_SSL
+if (!EnableSSL)
+{
+ereport(LOG,
+
On Mon, Apr 25, 2011 at 19:18, Tom Lane wrote:
> Magnus Hagander writes:
>> On Mon, Apr 25, 2011 at 18:59, Robert Haas wrote:
>>> It's not clear to me what behavior you are proposing. Would we
>>> disregard the hostssl line or treat it as an error?
>
>> It would absolutely have to be treat it a
On Mon, Apr 25, 2011 at 1:11 PM, Tom Lane wrote:
> Robert Haas writes:
>> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane wrote:
>>> I'm inclined to think that the correct fix is to make parse_hba_line,
>>> where it first realizes the line is "hostssl", check not only that SSL
>>> support is compiled
Magnus Hagander writes:
> On Mon, Apr 25, 2011 at 18:59, Robert Haas wrote:
>> It's not clear to me what behavior you are proposing. Would we
>> disregard the hostssl line or treat it as an error?
> It would absolutely have to be treat it as an error. another option
> would be to throw a more s
On Mon, Apr 25, 2011 at 19:11, Tom Lane wrote:
> Robert Haas writes:
>> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane wrote:
>>> I'm inclined to think that the correct fix is to make parse_hba_line,
>>> where it first realizes the line is "hostssl", check not only that SSL
>>> support is compiled b
Robert Haas writes:
> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane wrote:
>> I'm inclined to think that the correct fix is to make parse_hba_line,
>> where it first realizes the line is "hostssl", check not only that SSL
>> support is compiled but that it's turned on.
> It's not clear to me what b
On Mon, Apr 25, 2011 at 18:59, Robert Haas wrote:
> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane wrote:
>> A recent complaint in pgsql-novice revealed that if you have say
>>
>> hostssl all all 127.0.0.1/32 md5
>> clientcert=1
>>
>> in pg_hba.conf, but you for
On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane wrote:
> A recent complaint in pgsql-novice revealed that if you have say
>
> hostssl all all 127.0.0.1/32 md5
> clientcert=1
>
> in pg_hba.conf, but you forget to enable SSL in postgresql.conf,
> you get something l
A recent complaint in pgsql-novice revealed that if you have say
hostsslall all 127.0.0.1/32md5
clientcert=1
in pg_hba.conf, but you forget to enable SSL in postgresql.conf,
you get something like this:
LOG: client certificates can only be checked if a r
29 matches
Mail list logo
