On Tue, 10 Jun 2003, Nigel J. Andrews wrote:
> How do people feel about changing matching for host and hostssl to be such that
> a plain host line in pg_hba.conf does not allow a SSL connection but requires
> the hostssl specifier?
Nigel,
We had discussed overhauling the connection settings on both client and
server to cover all needs, along these lines:
> Date: Tue, 7 Jan 2003 16:07:58 -0500 (EST)
> From: Bruce Momjian <pgman@candle.pha.pa.us>
> To: Peter Eisentraut <peter_e@gmx.net>
> Cc: Jon Jensen <jon@endpoint.com>, pgsql-patches@postgresql.org
> Subject: Re: [PATCHES] Refuse SSL patchf
>
> Peter Eisentraut wrote:
> > Bruce Momjian writes:
> >
> > > > Tom thought that having conflicting REFUSESSL and REQUIRESSL directives
> > > > would be confusing, and since I dug up someone's old discussion in the
> > > > list archives of the four possible modes, we could move to that.
> > >
> > > Oh. I find two params clearer than one with meaningless numbers. :-)
> >
> > But the numeric model provides four modes (refuse ssl, prefer no ssl,
> > prefer ssl, require ssl) whereas the refuse/require combination only
> > provides three modes (refuse ssl, require ssl, and one other depending on
> > how you define it when neither is set). If you don't like numbers, make
> > them words.
>
> OK, that works:
>
> require
> prevent
> prefer
> noprefer
>
> This allows us to subsume PGREQUIRE_SSL into the new variable. Do we
> still need additional functionality in pg_hba.conf? I am only asking if
> pushing these decisions out to the client makes sense?
>
> For performance reasons, it is good to push this information out to the
> clients so the proper connection method is used the first time.
>
> However, for easier maintenance, we could have all of this in
> pg_hba.conf only, and have clients try SSL first, and fall back to
> non-SSL if the server doesn't want SSL. It would require two new
> pg_hba.conf line types. We have prefer-SSL (host) and SSL-only (ssl)
> now.
>
> require (ssl)
> prevent (nossl)
> prefer (hostpreferssl)
> noprefer(host)
>
> This would change 'host' to not prefer SSL.
Unfortunately, I lived with my own local patch and forgot about making the
more general one these past five months.
This proposal would meet your needs, wouldn't it?
Jon