Skip site navigation (1) Skip section navigation (2)

Re: Unfriendly handling of pg_hba SSL options with SSL off

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Unfriendly handling of pg_hba SSL options with SSL off
Date: 2011-04-25 18:03:21
Message-ID: 1303754601.5006.43.camel@vanquo.pezone.net (view raw or flat)
Thread:
Lists: pgsql-hackers
On mån, 2011-04-25 at 13:11 -0400, Tom Lane wrote:
> Or we could go in the direction of making hostssl lines be a silent
> no-op in both cases, but that doesn't seem like especially
> user-friendly design to me.  We don't treat any other cases in
> pg_hba.conf comparably AFAIR.

We ignore "local" even if the system doesn't have Unix-domain sockets.
We ignore IPvN entries even if listen_addresses doesn't contain any IPvN
addresses (this could be considered equivalent to ssl = on/off).

In my experience, it is best to ignore these things.  You don't lose
anything -- if you don't have SSL configured, no one is going to connect
with SSL -- and at best you're going to annoy admins who want to
configure systems consistently.


In response to

Responses

pgsql-hackers by date

Next:From: Jesper KroghDate: 2011-04-25 18:03:29
Subject: Re: Unlogged tables, persistent kind
Previous:From: Tom LaneDate: 2011-04-25 18:02:50
Subject: Re: Foreign table permissions and cloning

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group