At long last I put together a patch to support 4 client SSL negotiation

modes (and replace the requiressl boolean). The four options were first spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email to pgsql-hackers, archived here: http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php My original less-flexible patch and the ensuing thread are archived at: http://dbforums.com/t623845.html Attached is a new patch, including documentation. To sum up, there's a new client parameter "sslmode" and environment variable "PGSSLMODE", with these options: sslmode description ------- ----------- disable Unencrypted non-SSL only allow Negotiate, prefer non-SSL prefer Negotiate, prefer SSL (default) require Require SSL The only change to the server is a new pg_hba.conf line type, "hostnossl", for specifying connections that are not allowed to use SSL (for example, to prevent servers on a local network from accidentally using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are: pg_hba.conf line types ---------------------- host applies to either SSL or regular connections hostssl applies only to SSL connections hostnossl applies only to regular connections These client and server options, the postgresql.conf ssl = false option, and finally the possibility of compiling with no SSL support at all, make quite a range of combinations to test. I threw together a test script to try many of them out. It's in a separate tarball with its config files, a patch to psql so it'll announce SSL connections even in absence of a tty, and the test output. The test is especially informative when run on the same tty the postmaster was started on, so the FATAL: errors during negotiation are interleaved with the psql client output. I saw Tom write that new submissions for 7.4 have to be in before midnight local time, and since I'm on the east coast in the US, this just makes it in before the bell. :) Jon Jensen
author: Bruce Momjian 2003-07-26 13:50:02 +0000
committer: Bruce Momjian 2003-07-26 13:50:02 +0000
commit: 397831e1039ecc335e1aae54ebea8483ce2e6b72 (patch)
tree: 60376fb24aa0f5a089de483854c6ac88100e5a95 /src/backend
parent: 5f2499d5af493673e7a15bd3756ab81d7816e57c (diff)
2 files changed, 22 insertions, 6 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a24f097846..fd8d54a012 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.105 2003/07/23 23:30:40 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.106 2003/07/26 13:50:02 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -439,10 +439,16 @@ ClientAuthentication(Port *port)
 								NULL, 0,
 								NI_NUMERICHOST);
 
+#ifdef USE_SSL
+#define EREPORT_SSL_STATUS	(port->ssl ? "on" : "off")
+#else
+#define EREPORT_SSL_STATUS	"off"
+#endif
+
 				ereport(FATAL,
 						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-						 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
-								hostinfo, port->user_name, port->database_name)));
+						 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", SSL \"%s\"",
+								hostinfo, port->user_name, port->database_name, EREPORT_SSL_STATUS)));
 				break;
 			}
 
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 0d98e729a4..b233ee235d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.107 2003/07/23 23:30:40 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.108 2003/07/26 13:50:02 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -595,10 +595,12 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
 		if (port->raddr.addr.ss_family != AF_UNIX)
 			return;
 	}
-	else if (strcmp(token, "host") == 0 || strcmp(token, "hostssl") == 0)
+	else if (strcmp(token, "host") == 0
+			|| strcmp(token, "hostssl") == 0
+			|| strcmp(token, "hostnossl") == 0)
 	{
 
-		if (strcmp(token, "hostssl") == 0)
+		if (token[4] == 's')  /* "hostssl" */
 		{
 #ifdef USE_SSL
 			/* Record does not match if we are not on an SSL connection */
@@ -614,6 +616,14 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
 			goto hba_syntax;
 #endif
 		}
+#ifdef USE_SSL
+		else if (token[4] == 'n')  /* "hostnossl" */
+		{
+			/* Record does not match if we are on an SSL connection */
+			if (port->ssl)
+				return;
+		}
+#endif
 
 		/* Get the database. */
 		line = lnext(line);
author	Bruce Momjian	2003-07-26 13:50:02 +0000
committer	Bruce Momjian	2003-07-26 13:50:02 +0000
commit	397831e1039ecc335e1aae54ebea8483ce2e6b72 (patch)
tree	60376fb24aa0f5a089de483854c6ac88100e5a95 /src/backend
parent	5f2499d5af493673e7a15bd3756ab81d7816e57c (diff)