Re: libpq and sslmode=require
От | Bruce Momjian |
---|---|
Тема | Re: libpq and sslmode=require |
Дата | |
Msg-id | 200811042236.mA4Masx22273@momjian.us обсуждение исходный текст |
Ответ на | Re: libpq and sslmode=require (Bruce Momjian <bruce@momjian.us>) |
Список | pgsql-hackers |
Bruce Momjian wrote: > > would impose a noticeable connection initiation overhead on everyone's > > Unix-domain socket uses. You could make it use SSL in require mode, but > > it seems weird that prefer mode would end up doing something different > > than require mode. > > > > Maybe Magnus has an opinion on how we could make this fit into the new > > scheme of things. I assume since we require certificates to be set up > > now, SSL will by default be off and so using it over Unix-domain sockets > > when enabled would not be in the common path, which was the objection > > previously. > > Yep, the problem is that sslmode doesn't have any way to specify if we > want unix domain sockets to behave differently from tcp sockets, and our > default for sslmode makes that even worse. I have added the following documentation patch to mention that 'sslmode' is ignored for unix domain sockets; backpatched to 8.3.X. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: doc/src/sgml/libpq.sgml =================================================================== RCS file: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.266 diff -c -c -r1.266 libpq.sgml *** doc/src/sgml/libpq.sgml 27 Oct 2008 09:42:31 -0000 1.266 --- doc/src/sgml/libpq.sgml 4 Nov 2008 22:33:49 -0000 *************** *** 233,240 **** <term><literal>sslmode</literal></term> <listitem> <para> ! This option determines whether or with what priority an ! <acronym>SSL</> connection will be negotiated with the server. There are four modes: <literal>disable</> will attempt only an unencrypted <acronym>SSL</> connection; <literal>allow</> will negotiate, trying first a --- 233,240 ---- <term><literal>sslmode</literal></term> <listitem> <para> ! This option determines whether or with what priority a ! <acronym>SSL</> TCP/IP connection will be negotiated with the server. There are four modes: <literal>disable</> will attempt only an unencrypted <acronym>SSL</> connection; <literal>allow</> will negotiate, trying first a *************** *** 243,249 **** will negotiate, trying first an <acronym>SSL</> connection, then if that fails, trying a regular non-<acronym>SSL</> connection; <literal>require</> will try only an ! <acronym>SSL</> connection. </para> <para> --- 243,250 ---- will negotiate, trying first an <acronym>SSL</> connection, then if that fails, trying a regular non-<acronym>SSL</> connection; <literal>require</> will try only an ! <acronym>SSL</> connection. <literal>sslmode</> is ignored ! for Unix domain socket communication. </para> <para>
В списке pgsql-hackers по дате отправления: