Re: CVS-tip; SSLmode & Kerberos

Dave Page wrote:
> Hi,
>
> I've just had some testing done by Magnus Hagander who uses psqlODBC in
> a kerberos environment and a couple of minor issues came to light:
>
> - Kerberos authentication (and therefore other features of libpq like
> pgpass) can only be used if sslmode != d. This is because the original
> CC_connect code is used instead of libpq in this case. Is there any
> reason to not use libpq all the time regardless of sslmode (if it's
> available of course)?

Because I don't want to use libpq if it's possible.
The current implementation doesn't need libpq at all except
when you need SSL, kerberos or ipv6 etc connection/authentication.
I don't know what libraries the libpq would need in the future
but it's quite unpleasant for me if the psqlodbc driver can't
be loaded with tha lack of needeless librairies.
In addtion using the native connection has the following 2 points
at least.
1. The driver sets some session default parameters(DateStyle,
client_encoding etc) using start-up message.
2. You can try V2 protocol implementation when the V3 implementation
has some bugs or performance issues.
(personally It's hard for me to test v2 protocol implementation
without using the functionality because I don't have pre 7.4
server personally.)

> - sslmode defaults to 'disable'. If libpq is available, 'prefer' would
> seem the more secure default option. Any reason we should not change
> this as well?

There's no reason other than it's my default.

regards,
Hiroshi Inoue