On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > A recent complaint in pgsql-novice revealed that if you have say > > hostssl all all 127.0.0.1/32 md5 > clientcert=1 > > in pg_hba.conf, but you forget to enable SSL in postgresql.conf, > you get something like this: > > LOG: client certificates can only be checked if a root certificate store is > available > HINT: Make sure the root.crt file is present and readable. > CONTEXT: line 82 of configuration file "/home/tgl/version90/data/pg_hba.conf" > LOG: client certificates can only be checked if a root certificate store is > available > HINT: Make sure the root.crt file is present and readable. > CONTEXT: line 84 of configuration file "/home/tgl/version90/data/pg_hba.conf" > FATAL: could not load pg_hba.conf > > Needless to say, this is pretty unhelpful, especially if you actually do > have a root.crt file. > > I'm inclined to think that the correct fix is to make parse_hba_line, > where it first realizes the line is "hostssl", check not only that SSL > support is compiled but that it's turned on. Is it really sensible to > allow hostssl lines in pg_hba.conf when SSL is turned off? At best > they are no-ops, and at worst they're going to result in weird failures > like this one.
It's not clear to me what behavior you are proposing. Would we disregard the hostssl line or treat it as an error? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
