Re: host and hostssl equivalence in pg_hba.conf

Nigel J. Andrews wrote:
>
> How do people feel about changing matching for host and hostssl to be such that
> a plain host line in pg_hba.conf does not allow a SSL connection but requires
> the hostssl specifier?
>
> I had been going to submit a very small patch to do this but then it occurred
> to me this was a good candidate for a GUC along the lines of
> allow_host_hostssl_equivalence (just a name picked out of the air for this
> post). As this is a little bit more work and I can't get to anoncvs to refresh
> my tree I thought I'd check if it was something to persue or forget.

The other problem with using GUC here is that is adds even more
complexity to pg_bha.conf, where the meaning of 'host' changes depending
on postgresql.conf, and as Tom pointed out, it doesn't give per-host
control. I do think we need an additional host* line in pg_hba.conf for
this.

The real killer is that folks are getting SSL when they don't even know
it just because their client binaries/server are ssl.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073