Re: Refuse SSL patch

From: Jon Jensen <jon(at)endpoint(dot)com>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: Refuse SSL patch
Date: 2003-01-07 16:04:45
Message-ID: Pine.LNX.4.50.0301071555090.19672-100000@louche.swelter.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

On Tue, 7 Jan 2003, Bruce Momjian wrote:

> Jon Jensen wrote:
> > > I don't think overloading REQUIRE to mean something else is really the
> > > way to go. Looking at your options, we have:
> > >
> > > > > 0 - Refuse SSL
> > >
> > > Hard to imagine why someone would pick this one.
> >
> > But this is the exact reason I started my patch -- I need a server that
> > can do SSL to allow *only* SSL connections to an off-site IP address, but
> > *only* non-SSL connections to an internal IP address on a private network.
> > Speed would suffer greatly if I were to allow SSL connections internally,
> > but security would suffer if I disabled all SSL connections.
>
> But doesn't pg_hba.conf do that already, in that you say 'host' for the
> local ip, but ssl for the remote ip's?

The proposed SSLMODE is a client-side configuration option to supercede
REQUIRESSL, which is also a client configuration option. Here's the
problem:

1. The client always tries to connect via SSL if SSL support was compiled
in. There is no way to change this presently.
2. If the server can do SSL *at all*, it negotiates an SSL connection with
the client.
3. End of story -- we have an SSL connection when I don't want one. The
only way around it is to have the server have no SSL support at all.

So it's a client problem. The client needs to be configured to not try an
SSL connection at all, when I don't want it to. Hence SSLMODE=0, which
means forbid SSL.

But on the other hand, we want some control on the server as well -- we
may want to disallow SSL connections from a certain IP address, if nothing
else just to make sure a client doesn't accidentally use SSL over the
local network because someone forgets not to use it. Otherwise we could be
accidentally using SSL on the local network and killing performance. So I
added a 'hostnossl' option to pg_hba.conf, which will allow only non-SSL
connections from certain IP addresses.

Only the client changes are really necessary for my setup to work, but the
server change allows me to guarantee that other developers don't
accidentally connect via SSL when it's not wanted.

Does that make more sense?

Jon

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Lee Kindness 2003-01-07 16:12:26 Re: PostgreSQL libraries - PThread Support, but not use...
Previous Message Tom Lane 2003-01-07 16:01:08 Re: insert rule doesn't see id field