From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Jon Jensen <jon(at)endpoint(dot)com> |
Cc: | pgsql-patches(at)postgresql(dot)org |
Subject: | Re: sslmode patch |
Date: | 2003-07-26 13:50:16 |
Message-ID: | 200307261350.h6QDoG602897@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-patches |
Newest patch applied. Thanks.
---------------------------------------------------------------------------
Jon Jensen wrote:
> Folks,
>
> At long last I put together a patch to support 4 client SSL negotiation
> modes (and replace the requiressl boolean). The four options were first
> spelled out by Magnus Hagander <mha(at)sollentuna(dot)net> on 2000-08-23 in email
> to pgsql-hackers, archived here:
>
> http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
>
> My original less-flexible patch and the ensuing thread are archived at:
>
> http://dbforums.com/t623845.html
>
> Attached is a new patch, including documentation.
>
> To sum up, there's a new client parameter "sslmode" and environment
> variable "PGSSLMODE", with these options:
>
> sslmode description
> ------- -----------
> disable Unencrypted non-SSL only
> allow Negotiate, prefer non-SSL
> prefer Negotiate, prefer SSL (default)
> require Require SSL
>
> The only change to the server is a new pg_hba.conf line type,
> "hostnossl", for specifying connections that are not allowed to use SSL
> (for example, to prevent servers on a local network from accidentally
> using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
>
> pg_hba.conf line types
> ----------------------
> host applies to either SSL or regular connections
> hostssl applies only to SSL connections
> hostnossl applies only to regular connections
>
> These client and server options, the postgresql.conf ssl = false option,
> and finally the possibility of compiling with no SSL support at all,
> make quite a range of combinations to test. I threw together a test
> script to try many of them out. It's in a separate tarball with its
> config files, a patch to psql so it'll announce SSL connections even in
> absence of a tty, and the test output. The test is especially informative
> when run on the same tty the postmaster was started on, so the FATAL:
> errors during negotiation are interleaved with the psql client output.
>
> I saw Tom write that new submissions for 7.4 have to be in before midnight
> local time, and since I'm on the east coast in the US, this just makes it
> in before the bell. :)
>
> Jon
Content-Description:
[ Attachment, skipping... ]
Content-Description:
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2003-07-26 14:41:38 | Re: [PATCHES] sslmode patch |
Previous Message | Tom Lane | 2003-07-26 05:00:46 | Re: parallel regression test failure |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2003-07-26 13:50:27 | Re: Revised sslmode patch |
Previous Message | Gavin Sherry | 2003-07-26 13:31:11 | updateable cursors |