Re: host and hostssl equivalence in pg_hba.conf

How do people feel about changing matching for host and hostssl to be such that
a plain host line in pg_hba.conf does not allow a SSL connection but requires
the hostssl specifier?

I had been going to submit a very small patch to do this but then it occurred
to me this was a good candidate for a GUC along the lines of
allow_host_hostssl_equivalence (just a name picked out of the air for this
post). As this is a little bit more work and I can't get to anoncvs to refresh
my tree I thought I'd check if it was something to persue or forget.

To recap another thread I started, I had problems with large objects, Tom
suggested it might be SSL related as unix domain connections were fine, I
confirmed I still had the problem in 7.3.3 but then was unable to switch off
SSL for any IP connections without a rebuild as the host line in pg_hba.conf
permits SSL connections.

What I haven't done is confirm 7.4 has the problem (see the anoncvs comment
above).

I suggest this as GUC controlled feature since it seems from first impressions
that it is a lot more work to fall back to without SSL if there is a matching
host line but not a hostssl one. That is, connections from SSL enabled clients
would be rejected if there no hostssl entry for them, even if there was a
matching host entry, thus locking that client out of the server (unless there
was some way to tell the client to not attempt SSL).

Hmm...hope that's understandable, I seem to have rabbited on making this a lot
longer than I was expecting to.


--
Nigel Andrews