From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Jalaj Negi <jalajsinghnegi(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #5008: Server Startup Problem - When server is configured for SSL |
Date: | 2009-08-27 07:00:01 |
Message-ID: | 9837222c0908270000s4a96cad5ief500b0ea2fc7403@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Wed, Aug 26, 2009 at 22:47, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> On Wed, Aug 26, 2009 at 15:57, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>>> But that will still fail if the user has set it up to require a client
>>>> certificate.
>>>
>>> But not till it gets to the pg_hba checks. We might need to have some
>
>> How would that be different from what we have now? sslmode=prefer will
>> still allow both ssl and non-ssl connection. It won't kick you out
>> until you reach the hba processing, will it?
>
> Hm, will it retry if the ssl setup step fails? If so it'd be all right,
> but it's still a waste of cycles ...
Yes, that's the difference between prefer and require.
I think the main issue is that test_postmaster_connection() only
accepts two cases - successful login and password prompt. It would
have similar issues with say an ident mismatch, or loopback
connections configured for kerberos.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Nikola Ciprich | 2009-08-27 08:18:23 | BUG #5017: unsigned packages in RHEL4 8.3 packages |
Previous Message | Heikki Linnakangas | 2009-08-27 06:30:16 | Re: BUG #5011: Standby recovery unable to follow timeline change |