On Mon, Apr 29, 2024 at 4:38 AM Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> Making requiredirect to imply sslmode=require, or error out unless you
> also set sslmode=require, feels like a cavalier way of forcing SSL. We
> should have a serious discussion on making sslmode=require the default
> instead. That would be a more direct way of nudging people to use SSL.
> It would cause a lot of breakage, but it would also be a big improvement
> to security.
>
> Consider how sslnegotiation=requiredirect/directonly would feel, if we
> made sslmode=require the default. If you explicitly set "sslmode=prefer"
> or "sslmode=disable", it would be annoying if you would also need to
> remove "sslnegotiation=requiredirect" from your connection string.
I think making sslmode=require the default is pretty unworkable,
unless we also had a way of automatically setting up SSL as part of
initdb or something. Otherwise, we'd have to add sslmode=disable to a
million places just to get the regression tests to work, and every
test cluster anyone spins up locally would break in annoying ways,
too. I had been thinking we might want to change the default to
sslmode=disable and remove allow and prefer, but maybe automating a
basic SSL setup is better. Either way, we should move toward a world
where you either ask for SSL and get it, or don't ask for it and don't
get it. Being halfway in between is bad.
--
Robert Haas
EDB: http://www.enterprisedb.com