Nigel J. Andrews wrote:
>
> How do people feel about changing matching for host and hostssl to be such that
> a plain host line in pg_hba.conf does not allow a SSL connection but requires
> the hostssl specifier?
>
> I had been going to submit a very small patch to do this but then it occurred
> to me this was a good candidate for a GUC along the lines of
> allow_host_hostssl_equivalence (just a name picked out of the air for this
> post). As this is a little bit more work and I can't get to anoncvs to refresh
> my tree I thought I'd check if it was something to persue or forget.
The other problem with using GUC here is that is adds even more
complexity to pg_bha.conf, where the meaning of 'host' changes depending
on postgresql.conf, and as Tom pointed out, it doesn't give per-host
control. I do think we need an additional host* line in pg_hba.conf for
this.
The real killer is that folks are getting SSL when they don't even know
it just because their client binaries/server are ssl.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square,
Pennsylvania19073