On mån, 2011-04-25 at 13:11 -0400, Tom Lane wrote:
> Or we could go in the direction of making hostssl lines be a silent
> no-op in both cases, but that doesn't seem like especially
> user-friendly design to me. We don't treat any other cases in
> pg_hba.conf comparably AFAIR.
We ignore "local" even if the system doesn't have Unix-domain sockets.
We ignore IPvN entries even if listen_addresses doesn't contain any IPvN
addresses (this could be considered equivalent to ssl = on/off).
In my experience, it is best to ignore these things. You don't lose
anything -- if you don't have SSL configured, no one is going to connect
with SSL -- and at best you're going to annoy admins who want to
configure systems consistently.