Re: SSL over Unix-domain sockets

Am Montag, 14. Januar 2008 schrieb Tom Lane:
> If we do want to apply Peter's patch, I think it needs to be extended so
> that the default behavior on sockets is the same as before, ie, no SSL.
> This could be done by giving libpq an additional connection parameter,
> say "socketsslmode", having the same alternatives as sslmode but
> defaulting to "allow" instead of "prefer".

I suggest we don't do anything for 8.3, and return to investigate the full 
range of options for 8.4.  Those might include adding SSL support for local 
sockets but disabled by default, using SO_PEERCRED to check the server 
identity, and more fine-grained control over (multiple?) local socket 
placement.

-- 
Peter Eisentraut
http://developer.postgresql.org/~petere/