Skip site navigation (1) Skip section navigation (2)

Unfriendly handling of pg_hba SSL options with SSL off

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-hackers(at)postgreSQL(dot)org
Subject: Unfriendly handling of pg_hba SSL options with SSL off
Date: 2011-04-25 16:52:18
Message-ID: 16039.1303750338@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
A recent complaint in pgsql-novice revealed that if you have say

hostssl    all             all             127.0.0.1/32            md5 clientcert=1

in pg_hba.conf, but you forget to enable SSL in postgresql.conf,
you get something like this:

LOG:  client certificates can only be checked if a root certificate store is available
HINT:  Make sure the root.crt file is present and readable.
CONTEXT:  line 82 of configuration file "/home/tgl/version90/data/pg_hba.conf"
LOG:  client certificates can only be checked if a root certificate store is available
HINT:  Make sure the root.crt file is present and readable.
CONTEXT:  line 84 of configuration file "/home/tgl/version90/data/pg_hba.conf"
FATAL:  could not load pg_hba.conf

Needless to say, this is pretty unhelpful, especially if you actually do
have a root.crt file.

I'm inclined to think that the correct fix is to make parse_hba_line,
where it first realizes the line is "hostssl", check not only that SSL
support is compiled but that it's turned on.  Is it really sensible to
allow hostssl lines in pg_hba.conf when SSL is turned off?  At best
they are no-ops, and at worst they're going to result in weird failures
like this one.

			regards, tom lane

Responses

pgsql-hackers by date

Next:From: Robert HaasDate: 2011-04-25 16:54:02
Subject: Re: branching for 9.2devel
Previous:From: David E. WheelerDate: 2011-04-25 16:17:12
Subject: Re: Extension Packaging

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group