Re: Refuse SSL patch

Jon, I just documented the service/PGSERVICE capability in the CVS tree.
It allows a pg_service.conf file that controls additional libpq
connection options. In your app, you just do:

connectdb("service=conn1")

and "conn1" is looked up in pg_service.conf and it gets its other
connection parameters from there. The code is already in 7.3. I just
documented it, and changed auto-dbname setting to be active only when
they don't specify a dbname. Also, I created a sample file called
pg_service.conf.sample.

This may provide a better way for you to control SSL rather than
changing PGREQUIRE_SSL, which was also recently documented in the CVS
tree.

I don't think overloading REQUIRE to mean something else is really the
way to go. Looking at your options, we have:

> > 0 - Refuse SSL

Hard to imagine why someone would pick this one.

> > 1 - Negotiate, Prefer non-SSL

This is the only new valid one. My question is why you would specify ssl
on the host if you don't need ssl?

> > 2 - Negotiate, Prefer SSL (default)

Already the default for no requiressl.

> > 3 - Require SSL

Already requiressl.

If the problem is that some apps need requiressl and others don't, I
think the service file may be your cleanest option.

---------------------------------------------------------------------------

Jon Jensen wrote:
> PostgreSQL hackers,
>
> This patch allows the PostgreSQL server to refuse SSL connections
> selectively, and the clients to not initiate SSL connections.
>
> The point is for me to be able to choose non-SSL connections over SSL,
> even when SSL is available, for maximum performance. I've got a PostgreSQL
> server that has a separate private network link to an application server,
> and I want database connections there to always be non-SSL for speed. But
> I also connect to the same PostgreSQL instance from a remote site, and
> always want that connection to be SSL only for security.
>
> I haven't seen any previous mention of a similar patch, though I found the
> following idea proposed by Magnus Hagander which I like:
>
> > Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being:
> > 0 - Refuse SSL
> > 1 - Negotiate, Prefer non-SSL
> > 2 - Negotiate, Prefer SSL (default)
> > 3 - Require SSL
>
> http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
>
> He also notes the desire to be able to disable SSL for speed.
>
> Magnus's post was over two years ago and it doesn't appear anything along
> these lines was done. Since then the current setup of 'host'/'hostssl' in
> pg_hba.conf and the client connect option 'requiressl' is pretty firmly
> engrained, so to keep compatibility I added 'hostnossl' to pg_hba and a
> 'nossl' option to the client library.
>
> Patch against PostgreSQL 7.2.3 is attached.
>
> Is this useful to others? If you'd like me to make some changes to make it
> acceptable, please let me know.
>
> Thanks,
> Jon

Content-Description:

[ Attachment, skipping... ]

Content-Description:

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073