Re: Unfriendly handling of pg_hba SSL options with SSL off

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Unfriendly handling of pg_hba SSL options with SSL off
Date: 2011-04-25 17:52:30
Message-ID: BANLkTiksDv2bAU_8PDKz3Ss__pNnc7wZzg@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Apr 25, 2011 at 19:38, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Yeah, better make any misconfiguration very clear - let's throw an error.
>
> OK, so we need something like (untested)
>
>         if (token[4] == 's')    /* "hostssl" */
>         {
>  #ifdef USE_SSL
> +            if (!EnableSSL)
> +            {
> +                ereport(LOG,
> +                        (errcode(ERRCODE_CONFIG_FILE_ERROR),
> +                         errmsg("hostssl requires SSL to be turned on"),
> +                         errhint("Set ssl = on in postgresql.conf."),
> +                         errcontext("line %d of configuration file \"%s\"",
> +                                    line_num, HbaFileName)));
> +                return false;
> +            }
>             parsedline->conntype = ctHostSSL;
>  #else
>             ereport(LOG,
>                     (errcode(ERRCODE_CONFIG_FILE_ERROR),
>                      errmsg("hostssl not supported on this platform"),
>               errhint("Compile with --with-openssl to use SSL connections."),
>                      errcontext("line %d of configuration file \"%s\"",
>                                 line_num, HbaFileName)));
>             return false;
>  #endif
>         }

Looks good to me.

> While I'm looking at this, I notice that here (and in some other places
> in pg_hba.conf) we say "not supported on this platform" which seems
> rather bogus to me.  It implies that it's not possible to have SSL
> support on the user's machine, which is most likely not the case.
> I'd be happier with "not supported by this build of PostgreSQL" or some
> such wording.  Thoughts?

There seems to be a number of cases in libpq, and also in pg_locale.c
that says just hat. But in guc.c, we say "SSL is not supported by
this build". If we change it, we should change it to the same
(including whether "of PostgreSQL" is included).

Refering to the build seems more logical, yes.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2011-04-25 17:53:10 Re: branching for 9.2devel
Previous Message Tom Lane 2011-04-25 17:52:16 Re: make check in contrib