Re: sslmode=require fallback

Makes sense. Is this something that should be implemented in postgresql, or via pg_createcluster?

Am 19. Juli 2016 16:00:05 MESZ, schrieb Magnus Hagander <magnus(at)hagander(dot)net>:
>On Sun, Jul 17, 2016 at 10:07 PM, Christoph Berg <myon(at)debian(dot)org>
>wrote:
>
>> Re: Peter Eisentraut 2016-07-17 <
>> d6b22200-0e65-d17e-b227-b63d81720fd0(at)2ndquadrant(dot)com>
>> > On 7/15/16 3:07 PM, Andrew Dunstan wrote:
>> > > Do those packagers who install dummy certificates and turn SSL on
>also
>> > > change their pg_hba.conf.sample files to use hostssl?. That could
>go a
>> > > long way towards encouraging people.
>> >
>> > Debian, which I guess sort of started this, does not, but there are
>> > allusions to it in the TODO list.
>>
>> I guess we should actually do that if we had any non-local(host)
>> entries in there by default, but we don't touch the default
>> pg_hba.conf from pg_createcluster.
>>
>
>What could actually be useful there is to explicitly put hostnossl on
>the
>localhost entries. With the current defaults on the clients, that
>wouldn't
>break anything, and it would leave people without the performance
>issues
>that you run into in the default deployments. And for localhost it
>really
>does't make sense to encrypt -- for the local LAN segment that can be
>argued, but for localhost...
>
>
>--
> Magnus Hagander
> Me: http://www.hagander.net/
> Work: http://www.redpill-linpro.com/