Re: Unfriendly handling of pg_hba SSL options with SSL off
Peter Eisentraut <peter_e@gmx.net>
From: Peter Eisentraut <peter_e@gmx.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Robert Haas <robertmhaas@gmail.com>, pgsql-hackers@postgresql.org
Date: 2011-04-25T18:03:21Z
Lists: pgsql-hackers
On mån, 2011-04-25 at 13:11 -0400, Tom Lane wrote: > Or we could go in the direction of making hostssl lines be a silent > no-op in both cases, but that doesn't seem like especially > user-friendly design to me. We don't treat any other cases in > pg_hba.conf comparably AFAIR. We ignore "local" even if the system doesn't have Unix-domain sockets. We ignore IPvN entries even if listen_addresses doesn't contain any IPvN addresses (this could be considered equivalent to ssl = on/off). In my experience, it is best to ignore these things. You don't lose anything -- if you don't have SSL configured, no one is going to connect with SSL -- and at best you're going to annoy admins who want to configure systems consistently.