From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Christoph Berg <cb(at)df7cb(dot)de> |
Cc: | Christoph Berg <myon(at)debian(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Jakob Egger <jakob(at)eggerapps(dot)at>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: sslmode=require fallback |
Date: | 2016-07-19 18:56:05 |
Message-ID: | CABUevEwmHcCvNU_poRVbYzaa3pOfPXJV8q61XrpYLQq7Tc9eWQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Jul 19, 2016 at 8:53 PM, Christoph Berg <cb(at)df7cb(dot)de> wrote:
> Makes sense. Is this something that should be implemented in postgresql,
> or via pg_createcluster?
>
>
Personally I'd like to see pg_createcluster et al mimic upstream as close
as possible, so I'd advocate these changes being made upstream in
PostgreSQL iteslf.
//Magnus
>
> Am 19. Juli 2016 16:00:05 MESZ, schrieb Magnus Hagander <
> magnus(at)hagander(dot)net>:
>>
>>
>>
>> On Sun, Jul 17, 2016 at 10:07 PM, Christoph Berg <myon(at)debian(dot)org> wrote:
>>
>>> Re: Peter Eisentraut 2016-07-17 <
>>> d6b22200-0e65-d17e-b227-b63d81720fd0(at)2ndquadrant(dot)com>
>>> > On 7/15/16 3:07 PM, Andrew Dunstan wrote:
>>> > > Do those packagers who install dummy certificates and turn SSL on
>>> also
>>> > > change their pg_hba.conf.sample files to use hostssl?. That could go
>>> a
>>> > > long way towards encouraging people.
>>> >
>>> > Debian, which I guess sort of started this, does not, but there are
>>> > allusions to it in the TODO list.
>>>
>>> I guess we should actually do that if we had any non-local(host)
>>> entries in there by default, but we don't touch the default
>>> pg_hba.conf from pg_createcluster.
>>>
>>
>> What could actually be useful there is to explicitly put hostnossl on the
>> localhost entries. With the current defaults on the clients, that wouldn't
>> break anything, and it would leave people without the performance issues
>> that you run into in the default deployments. And for localhost it really
>> does't make sense to encrypt -- for the local LAN segment that can be
>> argued, but for localhost...
>>
>>
>> --
>> Magnus Hagander
>> Me: http://www.hagander.net/
>> Work: http://www.redpill-linpro.com/
>>
>
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2016-07-19 19:24:26 | Re: sslmode=require fallback |
Previous Message | Christoph Berg | 2016-07-19 18:53:39 | Re: sslmode=require fallback |