Skip site navigation (1) Skip section navigation (2)

pgsql-server/ oc/src/sgml/client-auth.sgml oc/ ...

From: momjian(at)svr1(dot)postgresql(dot)org (Bruce Momjian)
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql-server/ oc/src/sgml/client-auth.sgml oc/ ...
Date: 2003-07-26 13:50:03
Message-ID: 20030726135003.56979D1C92B@svr1.postgresql.org (view raw or flat)
Thread:
Lists: pgsql-committers
CVSROOT:	/cvsroot
Module name:	pgsql-server
Changes by:	momjian(at)svr1(dot)postgresql(dot)org	03/07/26 10:50:02

Modified files:
	doc/src/sgml   : client-auth.sgml libpq.sgml 
	src/backend/libpq: auth.c hba.c 
	src/interfaces/libpq: fe-connect.c libpq-int.h 

Log message:
	At long last I put together a patch to support 4 client SSL negotiation
	modes (and replace the requiressl boolean). The four options were first
	spelled out by Magnus Hagander <mha(at)sollentuna(dot)net> on 2000-08-23 in email
	to pgsql-hackers, archived here:
	
	http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
	
	My original less-flexible patch and the ensuing thread are archived at:
	
	http://dbforums.com/t623845.html
	
	Attached is a new patch, including documentation.
	
	To sum up, there's a new client parameter "sslmode" and environment
	variable "PGSSLMODE", with these options:
	
	sslmode   description
	-------   -----------
	disable   Unencrypted non-SSL only
	allow     Negotiate, prefer non-SSL
	prefer    Negotiate, prefer SSL (default)
	require   Require SSL
	
	The only change to the server is a new pg_hba.conf line type,
	"hostnossl", for specifying connections that are not allowed to use SSL
	(for example, to prevent servers on a local network from accidentally
	using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
	
	pg_hba.conf line types
	----------------------
	host       applies to either SSL or regular connections
	hostssl    applies only to SSL connections
	hostnossl  applies only to regular connections
	
	These client and server options, the postgresql.conf ssl = false option,
	and finally the possibility of compiling with no SSL support at all,
	make quite a range of combinations to test. I threw together a test
	script to try many of them out. It's in a separate tarball with its
	config files, a patch to psql so it'll announce SSL connections even in
	absence of a tty, and the test output. The test is especially informative
	when run on the same tty the postmaster was started on, so the FATAL:
	errors during negotiation are interleaved with the psql client output.
	
	I saw Tom write that new submissions for 7.4 have to be in before midnight
	local time, and since I'm on the east coast in the US, this just makes it
	in before the bell. :)
	
	Jon Jensen


pgsql-committers by date

Next:From: Bruce MomjianDate: 2003-07-26 15:17:37
Subject: pgsql-server/src/backend/utils/adt timestamp.c
Previous:From: Tom LaneDate: 2003-07-26 00:02:03
Subject: pgsql-server/src/pl/plpython error.expected

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group