Re: Refuse SSL patch

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Jon Jensen <jon(at)endpoint(dot)com>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: Refuse SSL patch
Date: 2003-01-07 17:01:48
Message-ID: 200301071701.h07H1mR21809@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

Jon Jensen wrote:
> > But doesn't pg_hba.conf do that already, in that you say 'host' for the
> > local ip, but ssl for the remote ip's?
>
> The proposed SSLMODE is a client-side configuration option to supercede
> REQUIRESSL, which is also a client configuration option. Here's the
> problem:
>
> 1. The client always tries to connect via SSL if SSL support was compiled
> in. There is no way to change this presently.
> 2. If the server can do SSL *at all*, it negotiates an SSL connection with
> the client.

Oh, that is a key thing I didn't know. Seems we should just add a libpq
PREVENTSSL option and be done with it. Seems clearer than numbers, and
hits the most useful functionality. If they set REQUIRESSL and
PREVENTSSL, we throw an error.

Right now, if they set 'host' in pg_hba.conf, and the client knows SSL,
we use it. Your idea had the additional functionality of preferring
non-SSL if the server knew SSL but had 'host' in pg_hba.conf.

> But on the other hand, we want some control on the server as well -- we
> may want to disallow SSL connections from a certain IP address, if nothing
> else just to make sure a client doesn't accidentally use SSL over the
> local network because someone forgets not to use it. Otherwise we could be
> accidentally using SSL on the local network and killing performance. So I
> added a 'hostnossl' option to pg_hba.conf, which will allow only non-SSL
> connections from certain IP addresses.

Perhaps your idea of 'hostnossl' in pg_hba.conf is a good one. That
way, both client and server would have the ability to say never or only
SSL. It allows more central control.

So, in negotiation, that only leaves open the question of what happens
when none of those are set, and it seems we prefer SSL in such cases.
Is that the correct default?

In fact, once we have 'hostnossl' why do we need PREVENTSSL in libpq?

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Jon Jensen 2003-01-07 17:01:59 Re: Refuse SSL patch
Previous Message Tom Lane 2003-01-07 16:39:12 Re: Refuse SSL patch