|From:||David Fetter <david(at)fetter(dot)org>|
|To:||Michael Paquier <michael(at)paquier(dot)xyz>|
|Cc:||Daniel Gustafsson <daniel(at)yesql(dot)se>, Cary Huang <cary(dot)huang(at)highgo(dot)ca>, pgsql-hackers(at)lists(dot)postgresql(dot)org|
|Subject:||Re: Let people set host(no)ssl settings from initdb|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
On Wed, Dec 30, 2020 at 08:24:06PM +0100, David Fetter wrote:
> On Mon, Sep 07, 2020 at 11:57:58AM +0900, Michael Paquier wrote:
> > On Thu, Jul 02, 2020 at 04:02:21PM +0200, Daniel Gustafsson wrote:
> > > The CF Patch Tester consider this patch to be malformed and is unable to apply
> > > and test it. Can you please submit a rebased version?
> > I have looked at the patch of this thread, and I doubt that it is a
> > good idea to put more burden into initdb for that. I agree that
> > being able to reject easily non-SSL connections in pg_hba.conf is a
> > bit of a hassle now, but putting more logic into initdb does not seem
> > the right course to me. Perhaps we could consider an idea like
> > Peter's to have a sslmode=require on the server side and ease the
> > generation of HBA rules..
> > The patch has stalled for two months now without a rebase provided, so
> > I am marking it as returned with feedback.
> Please find attached the rebased patch.
> Peter's suggestion seems a little more subtle to me than requiring TLS
> on the server side in that what people generally want to do is
> disallow clear text connections entirely. In those scenarios, people
> would also want to set (and be able to change at runtime) some kind of
> cryptographic policy, as SSH and TLS do. While I see this as a worthy
> goal, it's a much bigger lift than an optional argument or two to
> initdb, and requires a lot more discussion than it's had to date.
This time with patch actually attached.
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
|Next Message||Krasiyan Andreev||2020-12-30 19:32:26||Re: Implement <null treatment> for window functions|
|Previous Message||David Fetter||2020-12-30 19:24:06||Re: Let people set host(no)ssl settings from initdb|