| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | hehe88hk(at)yahoo(dot)com(dot)hk (Eric) |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: forcing SSL |
| Date: | 2004-02-15 05:26:59 |
| Message-ID: | 5586.1076822819@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
hehe88hk(at)yahoo(dot)com(dot)hk (Eric) writes:
> In order to ensure all user are making SSL connection to the database,
> in the file pg_hba.conf, I change all the first columns into "hostssl"
> such that there is neither "host" nor "local" left.
> However, when I try to use a program written in Tcl to access the
> database, even without the option "requiressl=1" for "pg_connect", the
> program can still make connection to the database.
Is this a local-Unix-socket connection? We don't bother with SSL on
such connections. There's no point --- the only way to eavesdrop on
a local connection is to have broken into your kernel, at which point
it's game over anyway.
regards, tom lane
PS: it also occurs to me you might have forgotten to SIGHUP the
postmaster after editing pg_hba.conf...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-02-15 05:34:39 | Re: Server-side killing of database connection (7.3.4) |
| Previous Message | Jeremy Smith | 2004-02-15 02:24:40 | SSH connection timing out |