Re: host and hostssl equivalence in pg_hba.conf

On Tue, 10 Jun 2003, Tom Lane wrote:

> "Nigel J. Andrews" <nandrews(at)investsystems(dot)co(dot)uk> writes:
> > How do people feel about changing matching for host and hostssl to be such that
> > a plain host line in pg_hba.conf does not allow a SSL connection but requires
> > the hostssl specifier?
>
> Then there would be no way to have a host entry that allowed both ---
> which, aside from being a loss of functionality, would doubtless break
> existing setups.

Well, what I was thinking of would have allowed it, just using two entries, a
host one and a hostssl one.

> I'd hold still for a "hostnossl" keyword, I guess, but I don't entirely
> see the use for it.

Well Jon Jenson's posted something else on this which I should read when I've
got my mind more in tune with it.

> If your real gripe is that libpq insists on trying SSL connections
> first, the server is the wrong end to be patching that problem at.
> There should be a way to control libpq's allow_ssl_try state variable
> from the outside.

A quick read makes me think that's what Jon's post is on about.

--
Nigel Andrews