Re: host and hostssl equivalence in pg_hba.conf

Nigel J. Andrews wrote:
> 
> How do people feel about changing matching for host and hostssl to be such that
> a plain host line in pg_hba.conf does not allow a SSL connection but requires
> the hostssl specifier?
> 
> I had been going to submit a very small patch to do this but then it occurred
> to me this was a good candidate for a GUC along the lines of
> allow_host_hostssl_equivalence (just a name picked out of the air for this
> post). As this is a little bit more work and I can't get to anoncvs to refresh
> my tree I thought I'd check if it was something to persue or forget.

The other problem with using GUC here is that is adds even more
complexity to pg_bha.conf, where the meaning of 'host' changes depending
on postgresql.conf, and as Tom pointed out, it doesn't give per-host
control.  I do think we need an additional host* line in pg_hba.conf for
this.

The real killer is that folks are getting SSL when they don't even know
it just because their client binaries/server are ssl.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073