| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andres Freund <andres(at)2ndquadrant(dot)com> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Alexey Klyukin <alexk(at)hintbits(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: re-reading SSL certificates during server reload |
| Date: | 2014-08-28 14:20:08 |
| Message-ID: | 25272.1409235608@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andres Freund <andres(at)2ndquadrant(dot)com> writes:
> On 2014-08-28 10:12:19 -0400, Tom Lane wrote:
>> Hm. Yeah, I guess there is some use in holding onto the values that were
>> actually used to initialize the current session, or at least there would
>> be if we exposed the cert contents in any fashion.
> Won't that allow the option to be specified at connection start by mere
> mortal users? That sounds odd to me.
Well, no, because SSL would be established (or not) before we ever process
the contents of the connection request packet. You might be able to
change the value that SHOW reports, but not the value actually governing
your session.
Having said that, there's a nearby thread about inventing a "SUBACKEND"
GUC category, and that's likely what we'd really want to use here, just
on the grounds that superusers would know better.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2014-08-28 14:21:26 | Re: re-reading SSL certificates during server reload |
| Previous Message | Andres Freund | 2014-08-28 14:14:54 | Re: re-reading SSL certificates during server reload |