A bit of cleanup after SSL patch. Add it to config file, improve

documentation.
2025-04-22 23:02:54 +03:00 · 2000-09-06 19:54:52 +00:00 · 2000-09-06 19:54:52 +00:00 · ffd9aaa0a9
commit ffd9aaa0a9
parent 6dc249610a
7 changed files with 260 additions and 211 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -1,4 +1,4 @@
-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.5 2000/08/29 04:15:43 momjian Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.6 2000/09/06 19:54:45 petere Exp $ -->
 <chapter id="client-authentication">
 <title>Client Authentication</title>
@ -45,14 +45,14 @@
   of a set of records, one per line. Blank lines and lines beginning
   with a hash character (<quote>#</quote>) are ignored. A record is
   made up of a number of fields which are separated by spaces and/or
-   tabs.
+   tabs and cannot be continued across several lines.
  </para>
  <para>
-   A record may have one of the two formats
+   A record may have one of the three formats
   <synopsis>
-local <replaceable>database</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
+local   <replaceable>database</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
-host <replaceable>database</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
+host    <replaceable>database</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
 hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
    </synopsis>
   The meaning of the fields is as follows:
@ -85,11 +85,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
     <listitem>
      <para>
       This record pertains to connection attemps with SSL over
-       TCP/IP. Note that SSL connections are completely disabled
+       TCP/IP. To make use of this option the server must be
-       unless the server is started with the <option>-i</option>,
+       built with SSL support enabled. Furthermore, SSL must be
-       and also require ordinary TCP/IP connections to be enabled.
+       enabled with the <option>-l</> option or equivalent configuration
-       SSL connections also require SSL support to be enabled in
+       setting when the server is started.
       the backend at compile time.
      </para>
     </listitem>
    </varlistentry>
@ -100,7 +99,8 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
      <para>
       Specifies the database that this record applies to. The value
       <literal>all</literal> specifies that it applies to all
-       databases.
+       databases, the value <literal>sameuser</> identifies the
       database with the same name as the connecting user.
      </para>
     </listitem>
    </varlistentry>
@ -129,8 +129,108 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
     <term><replaceable>authentication method</replaceable></term>
     <listitem>
      <para>
-       Specifies the method a user must use to authenticate themselves
+       Specifies the method that users must use to authenticate themselves
-       when connecting to that database.
+       when connecting to that database. The possible choices follow,
       details are in <xref linkend="auth-methods">.
       <variablelist>
        <varlistentry>
         <term>trust</>
         <listitem>
         <para>
          The connection is allowed unconditionally. This method allows
          any user that has login access to the client host to connect as
          any user whatsoever.
         </para>
        </listitem>
       </varlistentry>
       <varlistentry>
        <term>reject</>
        <listitem>
         <para>
          The connection is rejected unconditionally. This is mostly
          useful to <quote>filter out</> certain hosts from a group.
         </para>
        </listitem>
       </varlistentry>
       <varlistentry>
        <term>password</>
        <listitem>
         <para>
          The client is required to supply a password with the connection
          attempt which is required to match the password that was set up
          for the user.
         </para>
         <para>
          An optional file name may be specified after the
          <literal>password</literal> keyword. This file is expected to
          contain a list of users that this record pertains to, and
          optionally alternative passwords.
         </para>
         <para>
          The password is sent over the wire in clear text. For better
          protection, use the <literal>crypt</literal> method.
         </para>
        </listitem>
       </varlistentry>
       <varlistentry>
        <term>crypt</>
        <listitem>
         <para>
          Like the <literal>password</literal> method, but the password
          is sent over the wire encrypted using a simple
          challenge-response protocol. This is still not
          cryptographically secure but it protects against incidental
          wire-sniffing. The name of a file may follow the
          <literal>crypt</literal> keyword that contains a list of users
          that this record pertains to.
         </para>
        </listitem>
       </varlistentry>
       <varlistentry>
        <term>krb4</>
        <listitem>
         <para>
          Kerberos V4 is used to authenticate the user. This is only
          available for TCP/IP connections.
         </para>
        </listitem>
       </varlistentry>
       <varlistentry>
        <term>krb5</term>
        <listitem>
         <para>
          Kerberos V5 is used to authenticate the user. This is only
          available for TCP/IP connections.
         </para>
        </listitem>
       </varlistentry>
       <varlistentry>
        <term>ident</term>
        <listitem>
         <para>
          The ident server on the client host is asked for the identity
          of the connecting user. <productname>Postgres</productname>
          then verifies whether the so identified operating system user
          is allowed to connect as the database user that is requested.
          The <replaceable>authentication option</replaceable> following
          the <literal>ident</> keyword specifies the name of an
          <firstterm>ident map</firstterm> that specifies which operating
          system users equate with which database users. See below for
          details.
         </para>
        </listitem>
       </varlistentry>
      </variablelist>
      </para>
     </listitem>
    </varlistentry>
@ -140,15 +240,15 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
     <listitem>
      <para>
       This field is interpreted differently depending on the
-       authentication method.
+       authentication method, as described there.
      </para>
     </listitem>
    </varlistentry>
   </variablelist>
-   The first record that matches a connection attempt is used. Note
+   The first record that matches a connection attempt is used. There
-   that there is no <quote>fall-through</quote> or
+   is no <quote>fall-through</> or <quote>backup</>, that means, if
-   <quote>backup</quote>, that is, if one record is chosen and the
+   one record is chosen and the
   authentication fails, the following records are not considered. If
   no record matches, the access will be denied.
  </para>
@ -167,19 +267,42 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
   <example id="example-pg-hba.conf">
    <title>An example <filename>pg_hba.conf</filename> file</title>
 <programlisting>
-# Trust any connection via Unix domain sockets.
+#TYPE    DATABASE       IP-ADDRESS     MASK                AUTHTYPE   ARG
-local	trust
+
-# Trust any connection via TCP/IP from this machine.
+# Allow any user on the local system to connect to any database under
-host	all	127.0.0.1	255.255.255.255		trust
+# any user name.
-# We don't like this machine.
+#
-host	all	192.168.0.10	255.255.255.0		reject
+host     all            127.0.0.1      255.255.255.255     trust     
-# This machine can't encrypt so we ask for passwords in clear.
+ 
-host	all	192.168.0.3	255.255.255.0		password
+# Allow any user from any host with IP address 192.168.93.x to connect
-# The rest of this group of machines should provide encrypted passwords.
+# to database "template1" as the same user name that ident on that
-host	all	192.168.0.0	255.255.255.0		crypt
+# host identifies him as (typically his Unix user name).
-# Authenticate these networks using ident
+#
-host    all     192.168.1.0     255.255.255.0           ident usermap
+host     template1      192.168.93.0   255.255.255.0       ident      sameuser
-host    all     192.168.2.0     255.255.255.0           ident othermap
+
 # Allow a user from host 192.168.12.10 to connect to database
 # "template1" if the user's password in pg_shadow is supplied.
 #
 host     template1      192.168.12.10  255.255.255.255     crypt
 # In absence of the other records, this would allow anyone anywhere
 # except from 192.168.54.1 to connect to any database under any user
 # name.
 #
 host     all            192.168.54.1   255.255.255.255     reject
 host     all            0.0.0.0        0.0.0.0             trust
 # Allow users from 192.168.77.x hosts to connect to any database, but if,
 # for example, ident says the user is "bryanh" and he requests to
 # connect as PostgreSQL user "guest1", the connection is only allowed if
 # there is an entry for map "omicron" in `pg_ident.conf' that says
 # "bryanh" is allowed to connect as "guest1".
 #
 host     all            192.168.77.0  255.255.255.0        ident      omicron
 # Allow all users to connect to all databases via Unix sockets.
 #
 local        all                                           trust
 </programlisting>
   </example>
  </para>
@ -188,104 +311,7 @@ host    all     192.168.2.0     255.255.255.0           ident othermap
 <sect1 id="auth-methods">
  <title>Authentication methods</title>
  <para>
-   The following authentication methods are supported. They are
+   The following describes the authentication methods in detail.
   descibed in detail below.
   <variablelist>
    <varlistentry>
     <term>trust</term>
     <listitem>
      <para>
       The connection is allowed unconditionally. This method allows
       any user that has login access to the client host to connect as
       any user whatsoever. Use with care.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>reject</term>
     <listitem>
      <para>
       The connection is rejected unconditionally. This is mostly
       useful to <quote>filter out</quote> certain hosts from a group.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>password</term>
     <listitem>
      <para>
       The client is required to supply a password with the connection
       attempt which is required to match the password that was set up
       for the user.
      </para>
      <para>
       An optional file name may be specified after the
       <literal>password</literal> keyword. This file is expected to
       contain a list of users that this record pertains to, and
       optionally alternative passwords.
      </para>
      <para>
       The password is sent over the wire in clear text. For better
       protection, use the <literal>crypt</literal> method.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>crypt</term>
     <listitem>
      <para>
       Like the <literal>password</literal> method, but the password
       is sent over the wire encrypted using a simple
       challenge-response protocol. This is still not
       cryptographically secure but it protects against incidental
       wire-sniffing. The name of a file may follow the
       <literal>crypt</literal> keyword that contains a list of users
       that this record pertains to.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>krb4</term>
     <listitem>
      <para>
       Kerberos V4 is used to authenticate the user. This is only
       available for TCP/IP connections.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>krb5</term>
     <listitem>
      <para>
       Kerberos V5 is used to authenticate the user. This is only
       available for TCP/IP connections.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>ident</term>
     <listitem>
      <para>
       The ident server on the client host is asked for the identity
       of the connecting user. <productname>Postgres</productname>
       then verifies whether the so identified operating system user
       is allowed to connect as the database user that is requested.
       The <replaceable>authentication option</replaceable> following
       the <literal>ident</> keyword specifies the name of an
       <firstterm>ident map</firstterm> that specifies which operating
       system users equate with which database users. See below for
       details.
      </para>
     </listitem>
    </varlistentry>
   </variablelist>
  </para>
  <sect2>
@ -398,8 +424,8 @@ host    all     192.168.2.0     255.255.255.0           ident othermap
   <para>
    To generate the keytab file, use for example (with version 5)
 <screen>
-kadmin% <userinput>ank -randkey postgres/server.my.domain.org</>
+<prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</>
-kadmin% <userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
+<prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
 </screen>
    Read the <productname>Kerberos</> documentation for defails.
   </para>
@ -528,29 +554,26 @@ kadmin% <userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
    conjunction with the <filename>pg_hba.conf</> file in <xref
    linkend="example-pg-hba.conf"> is shown in <xref
    linkend="example-pg-ident.conf">. In that example setup, anyone
-    logged in to a machine on the 192.168.1 network that does not have
+    logged in to a machine on the 192.168.77 network that does not have
-    the a user name joe, robert, or ann would not be granted access.
+    the a user name bryanh, ann, or robert would not be granted access.
    Unix user robert would only be allowed access when he tries to
    connect as <quote>bob</quote>, not as <quote>robert</quote> or
-    anyone else. <quote>ann</quote> and <quote>joe</quote> would only
+    anyone else. <quote>ann</quote> would only be allowed to connect
-    be allowed to connect <quote>as themselves</quote>. On the
+    <quote>as herself</>. User bryanh would be allowed to connect as either
-    192.168.2 network, however, a user <quote>ann</quote> would not be
+    <quote>bryanh</> himself or as <quote>guest1</>.
    allowed to connect at all, only the user <quote>bob</> can connect
    as <quote>bob</> and some user <quote>karl</> can connect as
    <quote>joe</> as well.
   </para>
   <example id="example-pg-ident.conf">
    <title>An example <filename>pg_ident.conf</> file</title>
 <programlisting>
-usermap         joe     joe
+#MAP           IDENT-NAME   POSTGRESQL-NAME
 # bob has username robert on these machines
 usermap         robert  bob
 usermap         ann     ann
-othermap        joe     joe
+omicron        bryanh       bryanh
-othermap        bob     bob
+omicron        ann          ann
-othermap        karl    joe
+# bob has username robert on these machines
 omicron        robert       bob
 # bryanh can also connect as guest1
 omicron        bryanh       guest1
 </programlisting>
   </example>
  </sect2>
@ -605,4 +628,3 @@ FATAL 1:  Database testdb does not exist in pg_database
  </sect1>
 </chapter>
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@ -1,4 +1,4 @@
-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.16 2000/08/29 20:02:07 momjian Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.17 2000/09/06 19:54:45 petere Exp $ -->
 <chapter id="installation">
 <title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title>
@ -354,7 +354,7 @@ su - postgres
         The man pages that come with <productname>PostgreSQL</> will be installed under
         this directory, in their respective
         <filename>man<replaceable>x</></> subdirectories.
-         <filename><replaceable>PREFIX</>/man</>.
+         The default is <filename><replaceable>PREFIX</>/man</>.
        </para>
       </listitem>
      </varlistentry>
@ -581,15 +581,16 @@ su - postgres
       <term>--with-openssl=<replaceable>DIRECTORY</></term>
       <listitem>
        <para>
-         Build with support for SSL (encrypted) connections. 
+         Build with support for <acronym>SSL</> (encrypted) connections. 
-         This requires the OpenSSL library to be installed.
+         This requires the <productname>OpenSSL</> package to be installed.
         The <replaceable>DIRECTORY</> argument specifies the
-         root directory of the OpenSSL installation.
+         root directory of the <productname>OpenSSL</> installation; the
         default is <filename>/usr/local/ssl</>.
        </para>
        <para>
         <filename>configure</> will check for the required header
-         files and libraries to make sure that your OpenSSL
+         files and libraries to make sure that your <productname>OpenSSL</>
         installation is sufficient before proceeding.
        </para>
       </listitem>
@ -601,7 +602,7 @@ su - postgres
        <para>
         Enables the <productname>PostgreSQL</> server to use the
         syslog logging facility. (Using this option does not mean
-         that you will have to log with syslog or even that it will be done
+         that you must log with syslog or even that it will be done
         by default, it simply makes it possible to turn this option
         on at run time.)
        </para>
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.23 2000/08/29 20:02:07 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.24 2000/09/06 19:54:45 petere Exp $
 -->
 <Chapter Id="runtime">
@ -941,18 +941,6 @@ env PGOPTIONS='--geqo=off' psql
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>TCPIP_SOCKET (<type>boolean</type>)</term>
      <listitem>
       <para>
        If this is true, then the server will accept TCP/IP
        connections. Otherwise only local Unix domain socket
        connections are accepted. It is off by default. This option
        can only be set at server start.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>PORT (<type>integer</type>)</term>
      <listitem>
@ -1005,6 +993,29 @@ env PGOPTIONS='--geqo=off' psql
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>SSL (<type>boolean</type>)</term>
      <listitem>
       <para>
        Enables <acronym>SSL</> connections. Please read
        <xref linkend="ssl"> before using this. The default
        is off.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>TCPIP_SOCKET (<type>boolean</type>)</term>
      <listitem>
       <para>
        If this is true, then the server will accept TCP/IP
        connections. Otherwise only local Unix domain socket
        connections are accepted. It is off by default. This option
        can only be set at server start.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </para>
   </sect2>
@ -1048,6 +1059,11 @@ env PGOPTIONS='--geqo=off' psql
        <entry>tcpip_socket = on</entry>
        <entry></entry>
       </row>
       <row>
        <entry>-l</entry>
        <entry>ssl = on</entry>
        <entry></entry>
       </row>
       <row>
        <entry>-N <replaceable>x</replaceable></entry>
        <entry>max_connections = <replaceable>x</replaceable></entry>
@ -1726,64 +1742,66 @@ perl: warning: Falling back to the standard locale ("C").
  </para>
 </sect1>
- <sect1>
+ <sect1 id="ssl">
-  <title>Secure TCP/IP Connection with SSL</title>
+  <title>Secure TCP/IP Connections with SSL</title>
  <para>
-   PostgreSQL has native support for connections over SSL to encrypt
+   <productname>PostgreSQL</> has native support for connections over
   <acronym>SSL</> to encrypt
   client/server communications for increased security. This requires
   <productname>OpenSSL</productname> to be installed on both client
-   and server systems and support enabled at compile-time using
+   and server systems and support enabled at build-time (see <xref
-   the configure script.
+   linkend="installation">).
  </para>
  <para>
-   With SSL support compiled in, the Postgres backend can be 
+   With SSL support compiled in, the <productname>PostgreSQL</> server
-   started with argument -l to enable SSL connections. 
+   can be started with the argument <option>-l</> (ell) to enable
-   When starting in SSL mode, the postmaster will look for the 
+   SSL connections. When starting in SSL mode, the postmaster will look
-   files <filename>server.key</filename> and
+   for the files <filename>server.key</> and <filename>server.crt</> in
-   <filename>server.cert</filename> in the <envar>PGDATA</envar>
+   the data directory. These files should contain the server private key
-   directory. These files should contain the server private key and
+   and certificate respectively. These files must be set up correctly
-   certificate respectively. If the private key is protected with a 
+   before an SSL-enabled server can start. If the private key is protected
-   passphrase, the postmaster will prompt for the passphrase and not 
+   with a passphrase, the postmaster will prompt for the passphrase and will
-   start until it has been provided.
+   not start until it has been provided.
  </para>
  <para>
   The postmaster will listen for both standard and SSL connections
   on the same TCP/IP port, and will negotiate with any connecting
-   client wether to use SSL or not. Use the <filename>pg_hba.conf</filename>
+   client wether to use SSL or not. See <xref linkend="client-authentication">
-   file to optionally require SSL in order to accept a connection.
+   about how to force on the server side the use of SSL for certain
   connections.
  </para>
  <para>
   For details on how to create your server private key and certificate,
-   refer to the OpenSSL documentation. A simple self-signed certificate
+   refer to the <productname>OpenSSL</> documentation. A simple self-signed
-   can be used to get started testing, but a certificate signed by a CA
+   certificate can be used to get started testing, but a certificate signed
-   (either one of the global CAs or a local one) should be used in 
+   by a CA (either one of the global CAs or a local one) should be used in 
   production so the client can verify the servers identity. To create
   a quick self-signed certificate, use the <filename>CA.pl</filename>
   script included in OpenSSL:
 <programlisting>
-   CA.pl -newcert
+CA.pl -newcert
 </programlisting>
   Fill out the information the script asks for. Make sure to enter
-   the local hostname as Common Name. The script will generate a key
+   the local host name as Common Name. The script will generate a key
-   which is passphrase protected. To remove the passphrase (required
+   that is passphrase protected. To remove the passphrase (required
   if you want automatic start-up of the postmaster), run the command
 <programlisting>
-   openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
+openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
 </programlisting>
   Enter the old passphrase to unlock the existing key. Copy the file
-   <filename>newreq.pem</filename> to <filename>PGDATA/server.cert</filename>
+   <filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</>
-   and <filename>newkey_no_passphrase.pem</filename> to 
+   and <filename>newkey_no_passphrase.pem</> to
-   <filename>PGDATA/server.key</filename>. Remove the PRIVATE KEY part
+   <filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part
-   from the <filename>server.cert</filename> using any text editor.
+   from the <filename>server.crt</filename> using any text editor.
  </para>
 </sect1>
 <sect1>
-  <title>Secure TCP/IP Connection with SSH</title>
+  <title>Secure TCP/IP Connections with SSH tunnels</title>
  <note>
   <title>Acknowledgement</title>
@ -1828,6 +1846,13 @@ psql -h localhost -p 3333 template1
   terminal session.
  </para>
  <tip>
   <para>
    Several other products exist that can provide secure tunnels using
    a procedure similar in concept to the one just described.
   </para>
  </tip>
 </sect1>
 </Chapter>
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.165 2000/09/06 14:15:19 petere Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.166 2000/09/06 19:54:46 petere Exp $
 *
 * NOTES
 *
@ -193,10 +193,8 @@ static bool Reinit = true;
 static int	SendStop = false;
 bool NetServer = false;	/* listen on TCP/IP */
 bool EnableSSL = false;
 #ifdef USE_SSL
 static bool DisableSSL = false; /* Completely disable SSL, even if compiled in */
 #endif
 static pid_t StartupPID = 0,
 			ShutdownPID = 0;
@ -452,7 +450,7 @@ PostmasterMain(int argc, char *argv[])
 				break;
 #ifdef USE_SSL
 			case 'l':
- 			        DisableSSL = true;
+			        EnableSSL = true;
 				break;
 #endif
 			case 'm':
@ -563,13 +561,13 @@ PostmasterMain(int argc, char *argv[])
 	}
 #ifdef USE_SSL
-	if (!NetServer && !DisableSSL)
+	if (EnableSSL && !NetServer)
 	{
-		fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections. Use -l to disable SSL\n",
+		fprintf(stderr, "%s: For SSL, TCP/IP connections must be enabled. See -? for help.\n",
 				progname);
 		exit(1);
 	}
-	if (!DisableSSL)
+	if (EnableSSL)
 	        InitSSL();
 #endif
@ -750,9 +748,9 @@ usage(const char *progname)
 	printf("  -d 1-5          debugging level\n");
 	printf("  -D <directory>  database directory\n");
 	printf("  -F              turn fsync off\n");
-	printf("  -i              listen on TCP/IP sockets\n");
+	printf("  -i              enable TCP/IP connections\n");
 #ifdef USE_SSL
-	printf("  -l              disable SSL\n");
+	printf("  -l              enable SSL connections\n");
 #endif
 	printf("  -N <number>     maximum number of allowed connections (1..%d, default %d)\n",
 			MAXBACKENDS, DEF_MAXBACKENDS);
@ -1060,7 +1058,7 @@ readStartupPacket(void *arg, PacketLen len, void *pkt)
 		char		SSLok;
 #ifdef USE_SSL
-                if (DisableSSL || port->laddr.sa.sa_family != AF_INET)
+                if (!EnableSSL || port->laddr.sa.sa_family != AF_INET)
 		        /* No SSL when disabled or on Unix sockets */
   		        SSLok = 'N';
 		else
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@ -4,7 +4,7 @@
 * Support for grand unified configuration scheme, including SET
 * command, configuration file, and command line options.
 *
- * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.10 2000/08/28 11:57:41 petere Exp $
+ * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.11 2000/09/06 19:54:47 petere Exp $
 *
 * Copyright 2000 by PostgreSQL Global Development Group
 * Written by Peter Eisentraut <peter_e@gmx.net>.
@ -160,6 +160,7 @@ ConfigureNamesBool[] =
 	{"geqo",                    PGC_USERSET,    &enable_geqo,           true},
 	{"tcpip_socket",            PGC_POSTMASTER, &NetServer,             false},
 	{"ssl",                     PGC_POSTMASTER, &EnableSSL,             false},
 	{"fsync",                   PGC_USERSET,    &enableFsync,           true},
 	{"log_connections",         PGC_SIGHUP,     &Log_connections,       false},
--- a/src/bin/psql/startup.c
+++ b/src/bin/psql/startup.c
@ -3,7 +3,7 @@
 *
 * Copyright 2000 by PostgreSQL Global Development Group
 *
- * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.35 2000/08/30 14:54:23 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.36 2000/09/06 19:54:48 petere Exp $
 */
 #include "postgres.h"
@ -264,12 +264,13 @@ main(int argc, char *argv[])
 				   "Type:  \\copyright for distribution terms\n"
 				   "       \\h for help with SQL commands\n"
 				   "       \\? for help on internal slash commands\n"
-			  "       \\g or terminate with semicolon to execute query\n"
+				   "       \\g or terminate with semicolon to execute query\n"
 				   "       \\q to quit\n\n", pset.progname);
 		}
 #ifdef USE_SSL
-		printSSLInfo();
+			printSSLInfo();
 #endif
 		}
 		SetVariable(pset.vars, "PROMPT1", DEFAULT_PROMPT1);
 		SetVariable(pset.vars, "PROMPT2", DEFAULT_PROMPT2);
 		SetVariable(pset.vars, "PROMPT3", DEFAULT_PROMPT3);
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@ -12,7 +12,7 @@
 * Portions Copyright (c) 1996-2000, PostgreSQL, Inc
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $Id: miscadmin.h,v 1.65 2000/09/06 14:15:24 petere Exp $
+ * $Id: miscadmin.h,v 1.66 2000/09/06 19:54:52 petere Exp $
 *
 * NOTES
 *	  some of the information in this file will be moved to
@ -107,6 +107,7 @@ extern int	SortMem;
   configuration file processor has access to them */
 extern bool NetServer;
 extern bool EnableSSL;
 extern int MaxBackends;
 extern int NBuffers;
 extern int PostPortName;