Re: libpq and sslmode=require

Peter Eisentraut wrote:
> Bruce Momjian wrote:
> > In testing an SSL patch, I found that if I use 'sslmode=require' in the
> > libpq connection string, it does not use SSL over a unix-domain socket.
> >
> > libpq should either use SSL (which I don't think it can), or error out,
> > or we should at least document this behavior.
>
> We discussed this before 8.3 already. It might be time to address this
> now that the SSL support is being redesigned.
>
> SSL over Unix-domain sockets with libpq works perfectly fine if you
> remove the code in libpq and/or the postmaster (forgot which exactly)
> that thinks that it doesn't work.
>
> The issue previously was the libpq defaults to sslmode=prefer and that
> would impose a noticeable connection initiation overhead on everyone's
> Unix-domain socket uses. You could make it use SSL in require mode, but
> it seems weird that prefer mode would end up doing something different
> than require mode.
>
> Maybe Magnus has an opinion on how we could make this fit into the new
> scheme of things. I assume since we require certificates to be set up
> now, SSL will by default be off and so using it over Unix-domain sockets
> when enabled would not be in the common path, which was the objection
> previously.

Yep, the problem is that sslmode doesn't have any way to specify if we
want unix domain sockets to behave differently from tcp sockets, and our
default for sslmode makes that even worse.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +