At long last I put together a patch to support 4 client SSL negotiation

modes (and replace the requiressl boolean). The four options were first spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email to pgsql-hackers, archived here: http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php My original less-flexible patch and the ensuing thread are archived at: http://dbforums.com/t623845.html Attached is a new patch, including documentation. To sum up, there's a new client parameter "sslmode" and environment variable "PGSSLMODE", with these options: sslmode description ------- ----------- disable Unencrypted non-SSL only allow Negotiate, prefer non-SSL prefer Negotiate, prefer SSL (default) require Require SSL The only change to the server is a new pg_hba.conf line type, "hostnossl", for specifying connections that are not allowed to use SSL (for example, to prevent servers on a local network from accidentally using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are: pg_hba.conf line types ---------------------- host applies to either SSL or regular connections hostssl applies only to SSL connections hostnossl applies only to regular connections These client and server options, the postgresql.conf ssl = false option, and finally the possibility of compiling with no SSL support at all, make quite a range of combinations to test. I threw together a test script to try many of them out. It's in a separate tarball with its config files, a patch to psql so it'll announce SSL connections even in absence of a tty, and the test output. The test is especially informative when run on the same tty the postmaster was started on, so the FATAL: errors during negotiation are interleaved with the psql client output. I saw Tom write that new submissions for 7.4 have to be in before midnight local time, and since I'm on the east coast in the US, this just makes it in before the bell. :) Jon Jensen
2025-06-26 12:21:12 +03:00 · 2003-07-26 13:50:02 +00:00
parent 5f2499d5af
commit 397831e103
6 changed files with 286 additions and 36 deletions
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.105 2003/07/23 23:30:40 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.106 2003/07/26 13:50:02 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -439,10 +439,16 @@ ClientAuthentication(Port *port)
 								NULL, 0,
 								NI_NUMERICHOST);

+#ifdef USE_SSL
+#define EREPORT_SSL_STATUS	(port->ssl ? "on" : "off")
+#else
+#define EREPORT_SSL_STATUS	"off"
+#endif
+
 				ereport(FATAL,
 						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-						 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
-								hostinfo, port->user_name, port->database_name)));
+						 errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", SSL \"%s\"",
+								hostinfo, port->user_name, port->database_name, EREPORT_SSL_STATUS)));
 				break;
 			}

--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@ -10,7 +10,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.107 2003/07/23 23:30:40 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.108 2003/07/26 13:50:02 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -595,10 +595,12 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
 		if (port->raddr.addr.ss_family != AF_UNIX)
 			return;
 	}
-	else if (strcmp(token, "host") == 0 || strcmp(token, "hostssl") == 0)
+	else if (strcmp(token, "host") == 0
+			|| strcmp(token, "hostssl") == 0
+			|| strcmp(token, "hostnossl") == 0)
 	{

-		if (strcmp(token, "hostssl") == 0)
+		if (token[4] == 's')  /* "hostssl" */
 		{
 #ifdef USE_SSL
 			/* Record does not match if we are not on an SSL connection */
@ -614,6 +616,14 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
 			goto hba_syntax;
 #endif
 		}
+#ifdef USE_SSL
+		else if (token[4] == 'n')  /* "hostnossl" */
+		{
+			/* Record does not match if we are on an SSL connection */
+			if (port->ssl)
+				return;
+		}
+#endif

 		/* Get the database. */
 		line = lnext(line);