From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Unfriendly handling of pg_hba SSL options with SSL off |
Date: | 2011-04-25 17:38:15 |
Message-ID: | 16942.1303753095@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> Yeah, better make any misconfiguration very clear - let's throw an error.
OK, so we need something like (untested)
if (token[4] == 's') /* "hostssl" */
{
#ifdef USE_SSL
+ if (!EnableSSL)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("hostssl requires SSL to be turned on"),
+ errhint("Set ssl = on in postgresql.conf."),
+ errcontext("line %d of configuration file \"%s\"",
+ line_num, HbaFileName)));
+ return false;
+ }
parsedline->conntype = ctHostSSL;
#else
ereport(LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("hostssl not supported on this platform"),
errhint("Compile with --with-openssl to use SSL connections."),
errcontext("line %d of configuration file \"%s\"",
line_num, HbaFileName)));
return false;
#endif
}
While I'm looking at this, I notice that here (and in some other places
in pg_hba.conf) we say "not supported on this platform" which seems
rather bogus to me. It implies that it's not possible to have SSL
support on the user's machine, which is most likely not the case.
I'd be happier with "not supported by this build of PostgreSQL" or some
such wording. Thoughts?
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2011-04-25 17:43:39 | Re: make check in contrib |
Previous Message | Robert Haas | 2011-04-25 17:35:05 | Re: Foreign table permissions and cloning |