Re: sslmode patch

Newest patch applied. Thanks.

---------------------------------------------------------------------------

Jon Jensen wrote:
> Folks,
>
> At long last I put together a patch to support 4 client SSL negotiation
> modes (and replace the requiressl boolean). The four options were first
> spelled out by Magnus Hagander <mha(at)sollentuna(dot)net> on 2000-08-23 in email
> to pgsql-hackers, archived here:
>
> http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
>
> My original less-flexible patch and the ensuing thread are archived at:
>
> http://dbforums.com/t623845.html
>
> Attached is a new patch, including documentation.
>
> To sum up, there's a new client parameter "sslmode" and environment
> variable "PGSSLMODE", with these options:
>
> sslmode description
> ------- -----------
> disable Unencrypted non-SSL only
> allow Negotiate, prefer non-SSL
> prefer Negotiate, prefer SSL (default)
> require Require SSL
>
> The only change to the server is a new pg_hba.conf line type,
> "hostnossl", for specifying connections that are not allowed to use SSL
> (for example, to prevent servers on a local network from accidentally
> using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
>
> pg_hba.conf line types
> ----------------------
> host applies to either SSL or regular connections
> hostssl applies only to SSL connections
> hostnossl applies only to regular connections
>
> These client and server options, the postgresql.conf ssl = false option,
> and finally the possibility of compiling with no SSL support at all,
> make quite a range of combinations to test. I threw together a test
> script to try many of them out. It's in a separate tarball with its
> config files, a patch to psql so it'll announce SSL connections even in
> absence of a tty, and the test output. The test is especially informative
> when run on the same tty the postmaster was started on, so the FATAL:
> errors during negotiation are interleaved with the psql client output.
>
> I saw Tom write that new submissions for 7.4 have to be in before midnight
> local time, and since I'm on the east coast in the US, this just makes it
> in before the bell. :)
>
> Jon

Content-Description:

[ Attachment, skipping... ]

Content-Description:

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073