| From: | Jon Jensen <jon(at)endpoint(dot)com> |
|---|---|
| To: | Bruno Wolff III <bruno(at)wolff(dot)to> |
| Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, "" <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: Refuse SSL patch |
| Date: | 2003-01-07 16:39:10 |
| Message-ID: | Pine.LNX.4.50.0301071631320.19672-100000@louche.swelter.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
On Tue, 7 Jan 2003, Bruno Wolff III wrote:
> On Tue, Jan 07, 2003 at 16:04:45 +0000,
> Jon Jensen <jon(at)endpoint(dot)com> wrote:
> >
> > 1. The client always tries to connect via SSL if SSL support was compiled
> > in. There is no way to change this presently.
> > 2. If the server can do SSL *at all*, it negotiates an SSL connection with
> > the client.
>
> Can't you use a "reject" hostssl line in hba.conf to keep SSL connections
> from working for particular IP addresses? Does the client not fall back
> in this case?
No, the client doesn't fall back if it makes a successful connection to
the server in SSL mode, but the server denies access. It only falls back
if the server can't do SSL at all.
And in any case, that still wouldn't allow me to decide on the client side
whether I want SSL or not, on a per-connection basis, because the client
always chooses SSL.
Jon
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2003-01-07 16:39:12 | Re: Refuse SSL patch |
| Previous Message | Bruno Wolff III | 2003-01-07 16:32:51 | Re: Refuse SSL patch |