Robert Haas <robertmhaas@gmail.com> writes:
> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I'm inclined to think that the correct fix is to make parse_hba_line,
>> where it first realizes the line is "hostssl", check not only that SSL
>> support is compiled but that it's turned on.
> It's not clear to me what behavior you are proposing. Would we
> disregard the hostssl line or treat it as an error?
Sorry, I wasn't clear. I meant to throw an error. We already do throw
an error if you put hostssl in pg_hba.conf when SSL support wasn't
compiled at all. Why shouldn't we throw an error if it's compiled but
not turned on?
Or we could go in the direction of making hostssl lines be a silent
no-op in both cases, but that doesn't seem like especially user-friendly
design to me. We don't treat any other cases in pg_hba.conf comparably
AFAIR.
regards, tom lane