RE: SSL Patch - again :-)
* I changed the meaning of "-l" from "Listen to only SSL" to
"Disable SSL". It seems safe to me to do this since the
previous function of "-l" never worked anyway.
Using this switch, you can start the postmaster without
having the secret key and the certificate file in place.I'd rather see SSL off by default and `-l' enabling it, but that's a
trivial change if we agree on it.
No problem with me :-)
It should just be to change the default of RequireSSL to false, and then set
it to "true" when -l is specified.
Right now, the only way to set "requiressl" for psql is to use
an environment variable. I'd like it to be possible to do this
using the commandline for example, probably using a "psqlvariable".
We need to think in terms of all client applications though.
Ideally we'd
use some sort of option letter, but we'd never find one that's
consistently available. What do people think about optionally
making the
host paramater URI style, e.g. "pgsql://localhost" or
"pgsql-ssl://localhost" or even
"pgsql://user:password@foo.com:6543". A
bare host defaults to "pgsql://name:5432". Hmm, I think I
would like that
in terms of extensibility. Doesn't JDBC work like that already?
I think I wasn't clear enough. :-) It can *already* be specified by any
client application as long as you use PQconnectdb(). For example:
PQconnectdb("dbname='foo' host='localhost' requiressl=1")
(I just put it into the "PQconninfoOptions" array.)
(Now that I think of it, I never really *tested* that part, though :-) But I
think it shuold work. [testing]. Yes, it works.)
But that would require changing psql to use PQconnectDb() instead
of PQsetdbLogin(), so I figured I should check first :-) [BTW,
PQconnectDb() is the recommended way of doing it nowadays, right?]In theory yes, and this might well be a good reason to start doing so,
because you won't get away with changing the prototype of
PQsetdbLogin().
Exactly my thougts :-)
Documentation is coming up,
Nice...
Any thoughts about client (and server) authentication via SSL?
Yup, I've been thinking about it. :-)
I was thinking of adding a authentication type "sslcert" (in addition to the
ident, trust, password etc that exist today) only valid for "sslhost" lines.
Then a map somewhere similar to the "ident-map" in concept mapping a SSL
certificate subject name to a postgres username. (Or maybe that should be
done similar to pg_shadow, modifyable from inside the db?)
//Magnus
I think I wasn't clear enough. :-) It can *already* be
specified by any
client application as long as you use PQconnectdb(). For example:
PQconnectdb("dbname='foo' host='localhost' requiressl=1")I understand but this setting needs to be made available externally in
some cases like psql and pg_dump and I was afraid of option letter
inflation.
I was thinking we could use a "psql variable" in the case of psql, if we
wanted. For example:
psql -h localhost template1 -v "requiressl=1"
or something like that?
Oh, and it's still available by
PGREQUIRE_SSL=1 pgdump <whatever>
Actually, isn't there a trichotomy here: 1. require SSL, 2. use SSL if
available, 3. refuse SSL. The server side already handles all
cases: 1 -
"hostssl" in pg_hba.conf, 2 - `postmaster -l', 3 - default. The client
side should perhaps also have these choices, not sure.
Good point. The reason for the client to not do SSL when both client and
server supports it could be performance, I guess.
Perhaps we shuold replace PGREQUIRE_SSL with "PGSSLMODE", being:
0 - Refuse SSL
1 - Negotiate, Prefer non-SSL
2 - Negotiate, Prefer SSL (default)
3 - Require SSL
Anything else you guys will need on this patch before it's fine? :-) No
rush, but just so I know what to work on...
//Magnus
Import Notes
Resolved by subject fallback