Skip site navigation (1) Skip section navigation (2)

Re: SSL patch

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Magnus Hagander <mha(at)sollentuna(dot)net>
Cc: pgsql-interfaces(at)hub(dot)org, pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: SSL patch
Date: 1999-07-23 16:23:44
Message-ID: 14826.932747024@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-interfaces
Magnus Hagander <mha(at)sollentuna(dot)net> writes:
> I've now finished "polishing off" my old SSL code, and rewritten it to work
> with 6.6 (current snapshot). Included is the patch against the cvs tree from
> Jul 22nd.

Cool.  Secure connections are good.

> Unfortunatly, in order to allow for negotiated SSL, this patch breaks the
> current protocol (meaning old clients will not work with the new server, and
> the other way around). I felt it was better to break this here, than to
> break the frontend API (which would otherwise have been required).

This is *not* cool.  Breaking both clients and servers, whether they
actually support SSL or not, is a bit much, don't you think?  Especially
when the way you propose to do it makes it impossible for a server to
support both old and new clients: by the time the server finds out the
client's protocol version, it's already done something incompatible
with old clients.

I think there must be some way of signaling SSL support capability
without making a backwards-incompatible change in the startup protocol.
At a minimum an SSL-enabled server must be able to accept connections
from pre-SSL clients.

If nothing better comes to mind, we could have SSL-capable servers
listen at two port addresses, say 5432 for insecure connections and
5433 for secure ones.  But there's probably a better way.

BTW, it should be possible for the dbadmin to configure a server to
accept *only* secured connections, perhaps from a subset of users/hosts;
that would take a new column in pg_hba.conf.  Didn't look at your patch
closely enough to see if you already did that...

			regards, tom lane

Responses

pgsql-hackers by date

Next:From: Thomas LockhartDate: 1999-07-23 16:30:15
Subject: Re: [HACKERS] Phantom row from aggregate in self-join in 6.5
Previous:From: Mike MascariDate: 1999-07-23 16:19:41
Subject: Index not used on select (Is this more OR + LIKE?)

pgsql-interfaces by date

Next:From: Doug ThistlethwaiteDate: 1999-07-23 16:41:24
Subject: Connection from win95 to postgresql using JDBC and jdk1.2
Previous:From: Jeremy BettisDate: 1999-07-23 14:25:53
Subject: Re: [INTERFACES] Postgresql + lo

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group