| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Unfriendly handling of pg_hba SSL options with SSL off |
| Date: | 2011-04-25 17:11:21 |
| Message-ID: | 16395.1303751481@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> I'm inclined to think that the correct fix is to make parse_hba_line,
>> where it first realizes the line is "hostssl", check not only that SSL
>> support is compiled but that it's turned on.
> It's not clear to me what behavior you are proposing. Would we
> disregard the hostssl line or treat it as an error?
Sorry, I wasn't clear. I meant to throw an error. We already do throw
an error if you put hostssl in pg_hba.conf when SSL support wasn't
compiled at all. Why shouldn't we throw an error if it's compiled but
not turned on?
Or we could go in the direction of making hostssl lines be a silent
no-op in both cases, but that doesn't seem like especially user-friendly
design to me. We don't treat any other cases in pg_hba.conf comparably
AFAIR.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2011-04-25 17:12:11 | Re: make check in contrib |
| Previous Message | Magnus Hagander | 2011-04-25 17:08:31 | Re: Unfriendly handling of pg_hba SSL options with SSL off |