Skip site navigation (1) Skip section navigation (2)

Re: sslmode patch

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Jon Jensen <jon(at)endpoint(dot)com>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: sslmode patch
Date: 2003-07-26 13:50:16
Message-ID: 200307261350.h6QDoG602897@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Newest patch applied.  Thanks.

---------------------------------------------------------------------------



Jon Jensen wrote:
> Folks,
> 
> At long last I put together a patch to support 4 client SSL negotiation
> modes (and replace the requiressl boolean). The four options were first
> spelled out by Magnus Hagander <mha(at)sollentuna(dot)net> on 2000-08-23 in email
> to pgsql-hackers, archived here:
> 
> http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
> 
> My original less-flexible patch and the ensuing thread are archived at:
> 
> http://dbforums.com/t623845.html
> 
> Attached is a new patch, including documentation.
> 
> To sum up, there's a new client parameter "sslmode" and environment 
> variable "PGSSLMODE", with these options:
> 
> sslmode   description
> -------   -----------
> disable   Unencrypted non-SSL only
> allow     Negotiate, prefer non-SSL
> prefer    Negotiate, prefer SSL (default)
> require   Require SSL
> 
> The only change to the server is a new pg_hba.conf line type,
> "hostnossl", for specifying connections that are not allowed to use SSL
> (for example, to prevent servers on a local network from accidentally
> using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
> 
> pg_hba.conf line types
> ----------------------
> host       applies to either SSL or regular connections
> hostssl    applies only to SSL connections
> hostnossl  applies only to regular connections
> 
> These client and server options, the postgresql.conf ssl = false option,
> and finally the possibility of compiling with no SSL support at all,
> make quite a range of combinations to test. I threw together a test
> script to try many of them out. It's in a separate tarball with its
> config files, a patch to psql so it'll announce SSL connections even in
> absence of a tty, and the test output. The test is especially informative 
> when run on the same tty the postmaster was started on, so the FATAL: 
> errors during negotiation are interleaved with the psql client output.
> 
> I saw Tom write that new submissions for 7.4 have to be in before midnight
> local time, and since I'm on the east coast in the US, this just makes it
> in before the bell. :)
> 
> Jon

Content-Description: 

[ Attachment, skipping... ]

Content-Description: 

[ Attachment, skipping... ]

> 
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
> 
>                http://archives.postgresql.org

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2003-07-26 14:41:38
Subject: Re: [PATCHES] sslmode patch
Previous:From: Tom LaneDate: 2003-07-26 05:00:46
Subject: Re: parallel regression test failure

pgsql-patches by date

Next:From: Bruce MomjianDate: 2003-07-26 13:50:27
Subject: Re: Revised sslmode patch
Previous:From: Gavin SherryDate: 2003-07-26 13:31:11
Subject: updateable cursors

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group