Re: Unfriendly handling of pg_hba SSL options with SSL off

On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> A recent complaint in pgsql-novice revealed that if you have say
>
> hostssl    all             all             127.0.0.1/32            md5 clientcert=1
>
> in pg_hba.conf, but you forget to enable SSL in postgresql.conf,
> you get something like this:
>
> LOG:  client certificates can only be checked if a root certificate store is available
> HINT:  Make sure the root.crt file is present and readable.
> CONTEXT:  line 82 of configuration file "/home/tgl/version90/data/pg_hba.conf"
> LOG:  client certificates can only be checked if a root certificate store is available
> HINT:  Make sure the root.crt file is present and readable.
> CONTEXT:  line 84 of configuration file "/home/tgl/version90/data/pg_hba.conf"
> FATAL:  could not load pg_hba.conf
>
> Needless to say, this is pretty unhelpful, especially if you actually do
> have a root.crt file.
>
> I'm inclined to think that the correct fix is to make parse_hba_line,
> where it first realizes the line is "hostssl", check not only that SSL
> support is compiled but that it's turned on.  Is it really sensible to
> allow hostssl lines in pg_hba.conf when SSL is turned off?  At best
> they are no-ops, and at worst they're going to result in weird failures
> like this one.

It's not clear to me what behavior you are proposing.  Would we
disregard the hostssl line or treat it as an error?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company