Re: [HACKERS] Client SSL validation using root.crt

On Mon, Nov 20, 2006 at 10:30:31PM -0500, Tom Lane wrote:
> "Sergio" <sergio.cinos@gmail.com> writes:
> > I see a strange behaviour using root.crt. PostgreSQL always waits a
> > client certificate to check agains root.crt. But I set up a
> > 'hostnossl' auth line un pg_hba.conf, PostgreSQL still wants a client
> > certificate.
>
> No, not really.  The problem is that in the default PGSSLMODE=prefer
> behavior, libpq tries an SSL connection first.  It's prepared to retry
> with a non-SSL connection if it gets a rejection from the server ...
> but if OpenSSL fails to establish the connection, it just dies
> immediately.

It is possible to continue communicating after SSL negotiation failure.
If SSL_accept/connect return 0, that means the negotiation failed
cleanly and in theory libpq could continue in non-SSL mode.

I think long term this would be the nicest solution (no double
connections) but it's probably more complicated then looping around
again after SSL failure.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.