Tom Lane wrote:
> Conclusions:
>
> * SSL, even without real authentication, is *way* too expensive to
> enable by default.
>
> * The extra cost of going across a local TCP connection is measurable,
> but it's insignificant compared to the cost of turning on SSL. (This
> is on a Fedora 8 kernel BTW ... that result might vary on other
> platforms.)
>
> So you could make a pretty good case that the answer for DBAs who
> want to prevent spoofing is to disable socket connections in pg_hba.conf
> and force even local connections to come through "hostssl" connections.
Yea, I figured using protected directories for the socket was the
zero-cost solution, and if you have to do SSL, might as well just use
TCP too. (If you moved the socket file to a protected directory I think
you could use external_pid_file='/tmp/.s.PGSQL.5432' to prevent a spoof
socket file in /tmp. Should we document that idea?)
> If we do want to apply Peter's patch, I think it needs to be extended so
> that the default behavior on sockets is the same as before, ie, no SSL.
> This could be done by giving libpq an additional connection parameter,
> say "socketsslmode", having the same alternatives as sslmode but
> defaulting to "allow" instead of "prefer".
That seems like it is going to be added confusion; just using the
protected socket diretory or TCP & SSL seems less error-prone.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +