Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit397831e

Browse files
committed
At long last I put together a patch to support 4 client SSL negotiation
modes (and replace the requiressl boolean). The four options were firstspelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in emailto pgsql-hackers, archived here:http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.phpMy original less-flexible patch and the ensuing thread are archived at:http://dbforums.com/t623845.htmlAttached is a new patch, including documentation.To sum up, there's a new client parameter "sslmode" and environmentvariable "PGSSLMODE", with these options:sslmode description------- -----------disable Unencrypted non-SSL onlyallow Negotiate, prefer non-SSLprefer Negotiate, prefer SSL (default)require Require SSLThe only change to the server is a new pg_hba.conf line type,"hostnossl", for specifying connections that are not allowed to use SSL(for example, to prevent servers on a local network from accidentallyusing SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:pg_hba.conf line types----------------------host applies to either SSL or regular connectionshostssl applies only to SSL connectionshostnossl applies only to regular connectionsThese client and server options, the postgresql.conf ssl = false option,and finally the possibility of compiling with no SSL support at all,make quite a range of combinations to test. I threw together a testscript to try many of them out. It's in a separate tarball with itsconfig files, a patch to psql so it'll announce SSL connections even inabsence of a tty, and the test output. The test is especially informativewhen run on the same tty the postmaster was started on, so the FATAL:errors during negotiation are interleaved with the psql client output.I saw Tom write that new submissions for 7.4 have to be in before midnightlocal time, and since I'm on the east coast in the US, this just makes itin before the bell. :)Jon Jensen
1 parent5f2499d commit397831e

File tree

6 files changed

+286
-36
lines changed

6 files changed

+286
-36
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.52 2003/06/25 01:20:50 momjian Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.53 2003/07/26 13:50:01 momjian Exp $
33
-->
44

55
<chapter id="client-authentication">
@@ -83,13 +83,15 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.52 2003/06/25 01:20:50
8383
</para>
8484

8585
<para>
86-
A record may have one of thefive formats
86+
A record may have one of theseven formats
8787
<synopsis>
8888
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
8989
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
9090
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
91+
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
9192
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>CIDR-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
9293
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>CIDR-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
94+
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>CIDR-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
9395
</synopsis>
9496
The meaning of the fields is as follows:
9597

@@ -136,6 +138,17 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <
136138
</listitem>
137139
</varlistentry>
138140

141+
<varlistentry>
142+
<term><literal>hostnossl</literal></term>
143+
<listitem>
144+
<para>
145+
This record is similar to <literal>hostssl</> but with the
146+
opposite logic: it matches only regular connection attempts not
147+
using SSL.
148+
</para>
149+
</listitem>
150+
</varlistentry>
151+
139152
<varlistentry>
140153
<term><replaceable>database</replaceable></term>
141154
<listitem>
@@ -196,8 +209,8 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <
196209
</para>
197210

198211
<para>
199-
These fields only apply to <literal>host</literal> and
200-
<literal>hostssl</literal> records.
212+
These fields only apply to <literal>host</literal>,
213+
<literal>hostssl</literal>, and <literal>hostnossl</> records.
201214
</para>
202215
</listitem>
203216
</varlistentry>
@@ -224,8 +237,8 @@ hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <
224237
</para>
225238

226239
<para>
227-
This field only applies to <literal>host</literal> and
228-
<literal>hostssl</literal> records.
240+
This field only applies to <literal>host</literal>,
241+
<literal>hostssl</literal>, and <literal>hostnossl</> records.
229242
</para>
230243
</listitem>
231244
</varlistentry>

‎doc/src/sgml/libpq.sgml

Lines changed: 58 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<!--
2-
$Header: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v 1.128 2003/07/23 17:27:28 momjian Exp $
2+
$Header: /cvsroot/pgsql/doc/src/sgml/libpq.sgml,v 1.129 2003/07/26 13:50:01 momjian Exp $
33
-->
44

55
<chapter id="libpq">
@@ -206,14 +206,44 @@ PGconn *PQconnectdb(const char *conninfo);
206206
</listitem>
207207
</varlistentry>
208208

209+
<varlistentry>
210+
<term><literal>sslmode</literal></term>
211+
<listitem>
212+
<para>
213+
This option determines whether or with what priority an <acronym>SSL</>
214+
connection will be negotiated with the server. There are four
215+
modes: <literal>disable</> will attempt only an unencrypted
216+
<acronym>SSL</> connection; <literal>allow</> will negotiate,
217+
trying first a non-<acronym>SSL</> connection, then if that fails,
218+
trying an <acronym>SSL</> connection; <literal>prefer</>
219+
(the default) will negotiate, trying first an <acronym>SSL</> connection,
220+
then if that fails, trying a regular non-<acronym>SSL</> connection;
221+
<literal>require</> will try only an <acronym>SSL</> connection.
222+
</para>
223+
<para>
224+
If <productname>PostgreSQL</> is compiled without SSL support,
225+
using option <literal>require</> will cause an error, and options
226+
<literal>allow</> and <literal>prefer</> will be tolerated but
227+
<application>libpq</> will be unable to negotiate an <acronym>SSL</>
228+
connection.
229+
</para>
230+
</listitem>
231+
</varlistentry>
232+
209233
<varlistentry>
210234
<term><literal>requiressl</literal></term>
211235
<listitem>
212236
<para>
213-
If set to 1, an <acronym>SSL</acronym> connection to the server is required.
237+
This option is deprecated in favor of the <literal>sslmode</>
238+
setting.
239+
</para>
240+
<para>
241+
If set to 1, an <acronym>SSL</acronym> connection to the server is required
242+
(this is equivalent to <literal>sslmode</> <literal>require</>).
214243
<application>libpq</> will then refuse to connect if the server does not
215244
accept an <acronym>SSL</acronym> connection.
216-
If set to 0 (default), <application>libpq</> will negotiate the connection type with server.
245+
If set to 0 (default), <application>libpq</> will negotiate the connection
246+
type with the server (equivalent to <literal>sslmode</> <literal>prefer</>).
217247
This option is only available if
218248
<productname>PostgreSQL</> is compiled with SSL support.
219249
</para>
@@ -3140,15 +3170,38 @@ the <productname>PostgreSQL</productname> server.
31403170
</listitem>
31413171
<listitem>
31423172
<para>
3173+
<indexterm>
3174+
<primary><envar>PGSSLMODE</envar></primary>
3175+
</indexterm>
3176+
<envar>PGSSLMODE</envar> determines whether and with what priority an
3177+
<acronym>SSL</> connection will be negotiated with the server. There are
3178+
four modes: <literal>disable</> will attempt only an unencrypted
3179+
<acronym>SSL</> connection; <literal>allow</> will negotiate,
3180+
trying first a non-<acronym>SSL</> connection, then if that fails,
3181+
trying an <acronym>SSL</> connection; <literal>prefer</>
3182+
(the default) will negotiate, trying first an <acronym>SSL</>
3183+
connection, then if that fails, trying a regular non-<acronym>SSL</>
3184+
connection; <literal>require</> will try only an <acronym>SSL</>
3185+
connection. If <productname>PostgreSQL</> is compiled without SSL support,
3186+
using option <literal>require</> will cause an error, and options
3187+
<literal>allow</> and <literal>prefer</> will be tolerated but
3188+
<application>libpq</> will be unable to negotiate an <acronym>SSL</>
3189+
connection.
3190+
</para>
3191+
</listitem>
3192+
<listitem>
3193+
<para>
31433194
<indexterm>
31443195
<primary><envar>PGREQUIRESSL</envar></primary>
31453196
</indexterm>
31463197
<envar>PGREQUIRESSL</envar> sets whether or not the connection must be
31473198
made over <acronym>SSL</acronym>. If set to
31483199
<quote>1</quote>, <application>libpq</>
31493200
will refuse to connect if the server does not accept
3150-
an <acronym>SSL</acronym> connection.
3151-
This option is only available if
3201+
an <acronym>SSL</acronym> connection (equivalent to <literal>sslmode</>
3202+
<literal>prefer</>).
3203+
This option is deprecated in favor of the <literal>sslmode</>
3204+
setting, and is only available if
31523205
<productname>PostgreSQL</> is compiled with SSL support.
31533206
</para>
31543207
</listitem>

‎src/backend/libpq/auth.c

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.105 2003/07/23 23:30:40 tgl Exp $
11+
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.106 2003/07/26 13:50:02 momjian Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -439,10 +439,16 @@ ClientAuthentication(Port *port)
439439
NULL,0,
440440
NI_NUMERICHOST);
441441

442+
#ifdefUSE_SSL
443+
#defineEREPORT_SSL_STATUS(port->ssl ? "on" : "off")
444+
#else
445+
#defineEREPORT_SSL_STATUS"off"
446+
#endif
447+
442448
ereport(FATAL,
443449
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
444-
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
445-
hostinfo,port->user_name,port->database_name)));
450+
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", SSL \"%s\"",
451+
hostinfo,port->user_name,port->database_name,EREPORT_SSL_STATUS)));
446452
break;
447453
}
448454

‎src/backend/libpq/hba.c

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
*
1111
*
1212
* IDENTIFICATION
13-
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.107 2003/07/23 23:30:40 tgl Exp $
13+
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.108 2003/07/26 13:50:02 momjian Exp $
1414
*
1515
*-------------------------------------------------------------------------
1616
*/
@@ -595,10 +595,12 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
595595
if (port->raddr.addr.ss_family!=AF_UNIX)
596596
return;
597597
}
598-
elseif (strcmp(token,"host")==0||strcmp(token,"hostssl")==0)
598+
elseif (strcmp(token,"host")==0
599+
||strcmp(token,"hostssl")==0
600+
||strcmp(token,"hostnossl")==0)
599601
{
600602

601-
if (strcmp(token,"hostssl")==0)
603+
if (token[4]=='s')/* "hostssl" */
602604
{
603605
#ifdefUSE_SSL
604606
/* Record does not match if we are not on an SSL connection */
@@ -614,6 +616,14 @@ parse_hba(List *line, hbaPort *port, bool *found_p, bool *error_p)
614616
gotohba_syntax;
615617
#endif
616618
}
619+
#ifdefUSE_SSL
620+
elseif (token[4]== 'n')/* "hostnossl" */
621+
{
622+
/* Record does not match if we are on an SSL connection */
623+
if (port->ssl)
624+
return;
625+
}
626+
#endif
617627

618628
/* Get the database. */
619629
line=lnext(line);

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp