projects / users / hanada / postgres.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 13ec0bd)
Complain if pg_hba.conf contains "hostssl" but SSL is disabled.
authorTom Lane <[email protected]>
Tue, 26 Apr 2011 19:40:18 +0000 (15:40 -0400)
committerTom Lane <[email protected]>
Tue, 26 Apr 2011 19:40:18 +0000 (15:40 -0400)
Most commenters agreed that this is more friendly than silently failing
to match the line during actual connection attempts.  Also, this will
prevent corner cases that might arise when trying to handle such a line
when the SSL code isn't turned on.  An example is that specifying
clientcert=1 in such a line would formerly result in a completely
misleading complaint that root.crt wasn't present, as seen in a recent
report from Marc-Andre Laverdiere.  While we could have instead fixed
that specific behavior, it seems likely that we'd have a continuing stream
of such bizarre behaviors if we keep on allowing hostssl lines when SSL is
disabled.

Back-patch to 8.4, where clientcert was introduced.  Earlier versions don't
have this specific issue, and the code is enough different to make this
patch not applicable without more work than it seems worth.

src/backend/libpq/hba.c patch | blob | blame | history

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index a14d265676fd44f8b8f5d2e06c86209acda64f63..b679e946538ce8fdb2d1d9494550b3bb2cfc9d86 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -27,6 +27,7 @@
 
 #include "libpq/ip.h"
 #include "libpq/libpq.h"
+#include "postmaster/postmaster.h"
 #include "regex/regex.h"
 #include "storage/fd.h"
 #include "utils/flatfiles.h"
@@ -646,8 +647,20 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
 
        if (token[4] == 's')    /* "hostssl" */
        {
+           /* SSL support must be actually active, else complain */
 #ifdef USE_SSL
-           parsedline->conntype = ctHostSSL;
+           if (EnableSSL)
+               parsedline->conntype = ctHostSSL;
+           else
+           {
+               ereport(LOG,
+                       (errcode(ERRCODE_CONFIG_FILE_ERROR),
+                        errmsg("hostssl requires SSL to be turned on"),
+                        errhint("Set ssl = on in postgresql.conf."),
+                        errcontext("line %d of configuration file \"%s\"",
+                                   line_num, HbaFileName)));
+               return false;
+           }
 #else
            ereport(LOG,
                    (errcode(ERRCODE_CONFIG_FILE_ERROR),
Hanada's development tree.