Re: [PATCHES] sslmode patch - Mailing list pgsql-hackers

I had a little problem apply this patch because it had an #ifdef for
elog() parameter passing.  Because ereport() is now a macro, you can't
do #ifdef inside a macro _call_, so I did it this way:


#ifdef USE_SSL
#define EREPORT_SSL_STATUS  (port->ssl ? "on" : "off")
#else
#define EREPORT_SSL_STATUS  "off"
#endif
ereport(FATAL,    (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),     errmsg("no pg_hba.conf entry for host
\"%s\",user \"%s\", database \"%s\", SSL \"%s\"",        hostinfo, port->user_name, port->database_name,
EREPORT_SSL_STATUS)));break;

Is this the proper way to do it?
---------------------------------------------------------------------------

Bruce Momjian wrote:
> 
> Newest patch applied.  Thanks.
> 
> ---------------------------------------------------------------------------
> 
> 
> 
> Jon Jensen wrote:
> > Folks,
> > 
> > At long last I put together a patch to support 4 client SSL negotiation
> > modes (and replace the requiressl boolean). The four options were first
> > spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
> > to pgsql-hackers, archived here:
> > 
> > http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
> > 
> > My original less-flexible patch and the ensuing thread are archived at:
> > 
> > http://dbforums.com/t623845.html
> > 
> > Attached is a new patch, including documentation.
> > 
> > To sum up, there's a new client parameter "sslmode" and environment 
> > variable "PGSSLMODE", with these options:
> > 
> > sslmode   description
> > -------   -----------
> > disable   Unencrypted non-SSL only
> > allow     Negotiate, prefer non-SSL
> > prefer    Negotiate, prefer SSL (default)
> > require   Require SSL
> > 
> > The only change to the server is a new pg_hba.conf line type,
> > "hostnossl", for specifying connections that are not allowed to use SSL
> > (for example, to prevent servers on a local network from accidentally
> > using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
> > 
> > pg_hba.conf line types
> > ----------------------
> > host       applies to either SSL or regular connections
> > hostssl    applies only to SSL connections
> > hostnossl  applies only to regular connections
> > 
> > These client and server options, the postgresql.conf ssl = false option,
> > and finally the possibility of compiling with no SSL support at all,
> > make quite a range of combinations to test. I threw together a test
> > script to try many of them out. It's in a separate tarball with its
> > config files, a patch to psql so it'll announce SSL connections even in
> > absence of a tty, and the test output. The test is especially informative 
> > when run on the same tty the postmaster was started on, so the FATAL: 
> > errors during negotiation are interleaved with the psql client output.
> > 
> > I saw Tom write that new submissions for 7.4 have to be in before midnight
> > local time, and since I'm on the east coast in the US, this just makes it
> > in before the bell. :)
> > 
> > Jon
> 
> Content-Description: 
> 
> [ Attachment, skipping... ]
> 
> Content-Description: 
> 
> [ Attachment, skipping... ]
> 
> > 
> > ---------------------------(end of broadcast)---------------------------
> > TIP 6: Have you searched our list archives?
> > 
> >                http://archives.postgresql.org
> 
> -- 
>   Bruce Momjian                        |  http://candle.pha.pa.us
>   pgman@candle.pha.pa.us               |  (610) 359-1001
>   +  If your life is a hard drive,     |  13 Roberts Road
>   +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073