Re: Unfriendly handling of pg_hba SSL options with SSL off
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: pgsql-hackers@postgresql.org
Date: 2011-04-25T16:59:49Z
Lists: pgsql-hackers
On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > A recent complaint in pgsql-novice revealed that if you have say > > hostssl all all 127.0.0.1/32 md5 clientcert=1 > > in pg_hba.conf, but you forget to enable SSL in postgresql.conf, > you get something like this: > > LOG: client certificates can only be checked if a root certificate store is available > HINT: Make sure the root.crt file is present and readable. > CONTEXT: line 82 of configuration file "/home/tgl/version90/data/pg_hba.conf" > LOG: client certificates can only be checked if a root certificate store is available > HINT: Make sure the root.crt file is present and readable. > CONTEXT: line 84 of configuration file "/home/tgl/version90/data/pg_hba.conf" > FATAL: could not load pg_hba.conf > > Needless to say, this is pretty unhelpful, especially if you actually do > have a root.crt file. > > I'm inclined to think that the correct fix is to make parse_hba_line, > where it first realizes the line is "hostssl", check not only that SSL > support is compiled but that it's turned on. Is it really sensible to > allow hostssl lines in pg_hba.conf when SSL is turned off? At best > they are no-ops, and at worst they're going to result in weird failures > like this one. It's not clear to me what behavior you are proposing. Would we disregard the hostssl line or treat it as an error? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company