Re: Let people set host(no)ssl settings from initdb

On 2019-12-12 07:24, David Fetter wrote:
>> That problem exists even before you get to the question of whether
>> this specific option is useful or well-designed ... a question I'm
>> not opining about here, but it would certainly require thought.
> I think it was a reasonable extension. We cover lines that start with
> local and host, but they can also start with hostssl and hostnossl.

I suspect the real purpose here is to easily reject non-SSL connections 
altogether.  This is currently quite cumbersome and requires careful 
ongoing maintenance of pg_hba.conf.  But I see two problems with the 
proposed approach: (1) initdb doesn't support setting up SSL, so the 
only thing you can achieve here is to reject all TCP/IP connections, 
until you have set up SSL. (2) The default pg_hba.conf only covers 
localhost connections.  The value of enforcing SSL connections to 
localhost is probably quite low.  You still need ongoing careful 
pg_hba.conf maintenance as you add more host entries.

Maybe we just need something like libpq's sslmode on the server side. 
Probably not quite the same, perhaps just ssl = require.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services