At long last I put together a patch to support 4 client SSL negotiation

modes (and replace the requiressl boolean). The four options were first
spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
to pgsql-hackers, archived here:

http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php

My original less-flexible patch and the ensuing thread are archived at:

http://dbforums.com/t623845.html

Attached is a new patch, including documentation.

To sum up, there's a new client parameter "sslmode" and environment
variable "PGSSLMODE", with these options:

sslmode   description
-------   -----------
disable   Unencrypted non-SSL only
allow     Negotiate, prefer non-SSL
prefer    Negotiate, prefer SSL (default)
require   Require SSL

The only change to the server is a new pg_hba.conf line type,
"hostnossl", for specifying connections that are not allowed to use SSL
(for example, to prevent servers on a local network from accidentally
using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:

pg_hba.conf line types
----------------------
host       applies to either SSL or regular connections
hostssl    applies only to SSL connections
hostnossl  applies only to regular connections

These client and server options, the postgresql.conf ssl = false option,
and finally the possibility of compiling with no SSL support at all,
make quite a range of combinations to test. I threw together a test
script to try many of them out. It's in a separate tarball with its
config files, a patch to psql so it'll announce SSL connections even in
absence of a tty, and the test output. The test is especially informative
when run on the same tty the postmaster was started on, so the FATAL:
errors during negotiation are interleaved with the psql client output.

I saw Tom write that new submissions for 7.4 have to be in before midnight
local time, and since I'm on the east coast in the US, this just makes it
in before the bell. :)

Jon Jensen

doc/src/sgml/client-auth.sgml

@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.52 2003/06/25 01:20:50 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.53 2003/07/26 13:50:01 momjian Exp $
 -->
 
 <chapter id="client-authentication">
@@ -83,13 +83,15 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.52 2003/06/25 01:20:50
   </para>
 
   <para>
-   A record may have one of the five formats
+   A record may have one of the seven formats
 <synopsis>
 local   <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
 host    <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
 hostssl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
+hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
 host    <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>/<replaceable>CIDR-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
 hostssl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>/<replaceable>CIDR-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
+hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>/<replaceable>CIDR-mask</replaceable>  <replaceable>authentication-method</replaceable>  <optional><replaceable>authentication-option</replaceable></optional>
 </synopsis>
    The meaning of the fields is as follows:
 
@@ -136,6 +138,17 @@ hostssl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term><literal>hostnossl</literal></term>
+     <listitem>
+      <para>
+       This record is similar to <literal>hostssl</> but with the
+	   opposite logic: it matches only regular connection attempts not
+	   using SSL.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry>
      <term><replaceable>database</replaceable></term>
      <listitem>
@@ -196,8 +209,8 @@ hostssl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <
       </para>
 
       <para>
-       These fields only apply to <literal>host</literal> and
-       <literal>hostssl</literal> records.
+       These fields only apply to <literal>host</literal>,
+       <literal>hostssl</literal>, and <literal>hostnossl</> records.
       </para>
      </listitem>
     </varlistentry>
@@ -224,8 +237,8 @@ hostssl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <
       </para>
 
       <para>
-       This field only applies to <literal>host</literal> and
-       <literal>hostssl</literal> records.
+       This field only applies to <literal>host</literal>,
+       <literal>hostssl</literal>, and <literal>hostnossl</> records.
       </para>
      </listitem>
     </varlistentry>  

doc/src/sgml/libpq.sgml

@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v 1.128 2003/07/23 17:27:28 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v 1.129 2003/07/26 13:50:01 momjian Exp $
 -->
 
  <chapter id="libpq">
@@ -206,14 +206,44 @@ PGconn *PQconnectdb(const char *conninfo);
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term><literal>sslmode</literal></term>
+     <listitem>
+	 <para>
+      This option determines whether or with what priority an <acronym>SSL</>
+      connection will be negotiated with the server. There are four
+      modes: <literal>disable</> will attempt only an unencrypted
+      <acronym>SSL</> connection; <literal>allow</> will negotiate,
+      trying first a non-<acronym>SSL</> connection, then if that fails,
+      trying an <acronym>SSL</> connection; <literal>prefer</>
+	  (the default) will negotiate, trying first an <acronym>SSL</> connection,
+	  then if that fails, trying a regular non-<acronym>SSL</> connection;
+      <literal>require</> will try only an <acronym>SSL</> connection.
+	 </para>
+	 <para>
+	  If <productname>PostgreSQL</> is compiled without SSL support,
+	  using option <literal>require</> will cause an error, and options
+	  <literal>allow</> and <literal>prefer</> will be tolerated but
+	  <application>libpq</> will be unable to negotiate an <acronym>SSL</>
+	  connection.
+     </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry>
      <term><literal>requiressl</literal></term>
      <listitem>
      <para>
-      If set to 1, an <acronym>SSL</acronym> connection to the server is required.
+	  This option is deprecated in favor of the <literal>sslmode</>
+	  setting.
+	 </para>
+	 <para>
+      If set to 1, an <acronym>SSL</acronym> connection to the server is required
+	  (this is equivalent to <literal>sslmode</> <literal>require</>).
       <application>libpq</> will then refuse to connect if the server does not
       accept an <acronym>SSL</acronym> connection.
-      If set to 0 (default), <application>libpq</> will negotiate the connection type with server.
+      If set to 0 (default), <application>libpq</> will negotiate the connection
+	  type with the server (equivalent to <literal>sslmode</> <literal>prefer</>).
       This option is only available if
       <productname>PostgreSQL</> is compiled with SSL support.
      </para>
@@ -3140,6 +3170,27 @@ the <productname>PostgreSQL</productname> server.
 </listitem>
 <listitem>
 <para>
+<indexterm>
+ <primary><envar>PGSSLMODE</envar></primary>
+</indexterm>
+<envar>PGSSLMODE</envar> determines whether and with what priority an
+<acronym>SSL</> connection will be negotiated with the server. There are
+four modes: <literal>disable</> will attempt only an unencrypted
+<acronym>SSL</> connection; <literal>allow</> will negotiate,
+trying first a non-<acronym>SSL</> connection, then if that fails,
+trying an <acronym>SSL</> connection; <literal>prefer</>
+(the default) will negotiate, trying first an <acronym>SSL</>
+connection, then if that fails, trying a regular non-<acronym>SSL</>
+connection; <literal>require</> will try only an <acronym>SSL</>
+connection. If <productname>PostgreSQL</> is compiled without SSL support,
+using option <literal>require</> will cause an error, and options
+<literal>allow</> and <literal>prefer</> will be tolerated but
+<application>libpq</> will be unable to negotiate an <acronym>SSL</>
+connection.
+</para>
+</listitem>
+<listitem>
+<para>
 <indexterm>
  <primary><envar>PGREQUIRESSL</envar></primary>
 </indexterm>
@@ -3147,8 +3198,10 @@ the <productname>PostgreSQL</productname> server.
 made over <acronym>SSL</acronym>. If set to
 <quote>1</quote>, <application>libpq</>
 will refuse to connect if the server does not accept
-an <acronym>SSL</acronym> connection.
-This option is only available if
+an <acronym>SSL</acronym> connection (equivalent to <literal>sslmode</>
+<literal>prefer</>).
+This option is deprecated in favor of the <literal>sslmode</>
+setting, and is only available if
 <productname>PostgreSQL</> is compiled with SSL support.
 </para>
 </listitem>