Re: Unfriendly handling of pg_hba SSL options with SSL off

On Mon, Apr 25, 2011 at 18:59, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> A recent complaint in pgsql-novice revealed that if you have say
>>
>> hostssl    all             all             127.0.0.1/32            md5 clientcert=1
>>
>> in pg_hba.conf, but you forget to enable SSL in postgresql.conf,
>> you get something like this:
>>
>> LOG:  client certificates can only be checked if a root certificate store is available
>> HINT:  Make sure the root.crt file is present and readable.
>> CONTEXT:  line 82 of configuration file "/home/tgl/version90/data/pg_hba.conf"
>> LOG:  client certificates can only be checked if a root certificate store is available
>> HINT:  Make sure the root.crt file is present and readable.
>> CONTEXT:  line 84 of configuration file "/home/tgl/version90/data/pg_hba.conf"
>> FATAL:  could not load pg_hba.conf
>>
>> Needless to say, this is pretty unhelpful, especially if you actually do
>> have a root.crt file.
>>
>> I'm inclined to think that the correct fix is to make parse_hba_line,
>> where it first realizes the line is "hostssl", check not only that SSL
>> support is compiled but that it's turned on.  Is it really sensible to
>> allow hostssl lines in pg_hba.conf when SSL is turned off?  At best
>> they are no-ops, and at worst they're going to result in weird failures
>> like this one.
>
> It's not clear to me what behavior you are proposing.  Would we
> disregard the hostssl line or treat it as an error?

It would absolutely have to be treat it as an error. another option
would be to throw a more specific warning at that place, and keep the
rest of the code the same.

We can't *ignore* hostssl rows in ssl=off mode, that would be an easy
way for an admin to set up a system they thought was secure but
isn't...

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/