Re: Refuse SSL patch

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Jon Jensen <jon(at)endpoint(dot)com>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: Refuse SSL patch
Date: 2003-01-07 15:47:42
Message-ID: 200301071547.h07FlgK10329@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

Jon Jensen wrote:
> > I don't think overloading REQUIRE to mean something else is really the
> > way to go. Looking at your options, we have:
> >
> > > > 0 - Refuse SSL
> >
> > Hard to imagine why someone would pick this one.
>
> But this is the exact reason I started my patch -- I need a server that
> can do SSL to allow *only* SSL connections to an off-site IP address, but
> *only* non-SSL connections to an internal IP address on a private network.
> Speed would suffer greatly if I were to allow SSL connections internally,
> but security would suffer if I disabled all SSL connections.

But doesn't pg_hba.conf do that already, in that you say 'host' for the
local ip, but ssl for the remote ip's?

The only value I see to the existing REQUIRESSL is to say "I am a client
and only want to do SSL", and in that case you can use the services file
to use the same binary on different hosts, and control whether you want
that host to require SSL or not. It doesn't make the switching based on
who the host is connecting to, but your proposal doesn't do that either.

I have to say I am just still confused over this.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Tom Lane 2003-01-07 16:01:08 Re: insert rule doesn't see id field
Previous Message Bruce Momjian 2003-01-07 15:18:24 Re: PostgreSQL libraries - PThread Support, but not use...