Tom Lane wrote: > Conclusions: > > * SSL, even without real authentication, is *way* too expensive to > enable by default. > > * The extra cost of going across a local TCP connection is measurable, > but it's insignificant compared to the cost of turning on SSL. (This > is on a Fedora 8 kernel BTW ... that result might vary on other > platforms.) > > So you could make a pretty good case that the answer for DBAs who > want to prevent spoofing is to disable socket connections in pg_hba.conf > and force even local connections to come through "hostssl" connections.
Yea, I figured using protected directories for the socket was the zero-cost solution, and if you have to do SSL, might as well just use TCP too. (If you moved the socket file to a protected directory I think you could use external_pid_file='/tmp/.s.PGSQL.5432' to prevent a spoof socket file in /tmp. Should we document that idea?) > If we do want to apply Peter's patch, I think it needs to be extended so > that the default behavior on sockets is the same as before, ie, no SSL. > This could be done by giving libpq an additional connection parameter, > say "socketsslmode", having the same alternatives as sslmode but > defaulting to "allow" instead of "prefer". That seems like it is going to be added confusion; just using the protected socket diretory or TCP & SSL seems less error-prone. -- Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq