From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Sergio <sergio(dot)cinos(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [HACKERS] Client SSL validation using root.crt |
Date: | 2006-11-21 10:29:45 |
Message-ID: | 20061121102945.GB7205@svana.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
On Mon, Nov 20, 2006 at 10:30:31PM -0500, Tom Lane wrote:
> "Sergio" <sergio(dot)cinos(at)gmail(dot)com> writes:
> > I see a strange behaviour using root.crt. PostgreSQL always waits a
> > client certificate to check agains root.crt. But I set up a
> > 'hostnossl' auth line un pg_hba.conf, PostgreSQL still wants a client
> > certificate.
>
> No, not really. The problem is that in the default PGSSLMODE=prefer
> behavior, libpq tries an SSL connection first. It's prepared to retry
> with a non-SSL connection if it gets a rejection from the server ...
> but if OpenSSL fails to establish the connection, it just dies
> immediately.
It is possible to continue communicating after SSL negotiation failure.
If SSL_accept/connect return 0, that means the negotiation failed
cleanly and in theory libpq could continue in non-SSL mode.
I think long term this would be the nicest solution (no double
connections) but it's probably more complicated then looping around
again after SSL failure.
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.
From | Date | Subject | |
---|---|---|---|
Next Message | Filip Rembialkowski | 2006-11-21 11:23:09 | Re: tsearch trigger: function public.tsearch2(tsvector, text) does not exist |
Previous Message | Arnaud Lesauvage | 2006-11-21 10:20:46 | COPY FROM encoding error |
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2006-11-21 11:49:20 | Re: quick review |
Previous Message | Martijn van Oosterhout | 2006-11-21 10:13:57 | Re: [PATCHES] WIP 2 interpreters for plperl |