Discussion:
forcing SSL
(too old to reply)
Eric
2004-02-14 19:13:05 UTC
Permalink
In order to ensure all user are making SSL connection to the database,
in the file pg_hba.conf, I change all the first columns into "hostssl"
such that there is neither "host" nor "local" left.

However, when I try to use a program written in Tcl to access the
database, even without the option "requiressl=1" for "pg_connect", the
program can still make connection to the database.

(With the option "requiressl=1" present for "pg_connect", my program
can also connect the database successfully)

May I know what the problem is and how to ensure incoming SSL
connection?

Thank you
Tom Lane
2004-02-15 05:26:59 UTC
Permalink
Post by Eric
In order to ensure all user are making SSL connection to the database,
in the file pg_hba.conf, I change all the first columns into "hostssl"
such that there is neither "host" nor "local" left.
However, when I try to use a program written in Tcl to access the
database, even without the option "requiressl=1" for "pg_connect", the
program can still make connection to the database.
Is this a local-Unix-socket connection? We don't bother with SSL on
such connections. There's no point --- the only way to eavesdrop on
a local connection is to have broken into your kernel, at which point
it's game over anyway.

regards, tom lane

PS: it also occurs to me you might have forgotten to SIGHUP the
postmaster after editing pg_hba.conf...

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

Loading...