Alvaro Herrera wrote:
> Magnus Hagander wrote:
>> In a number of places in pg_hba.conf, we don't actually log what goes
>> wrong - instead we just goto a label that will log "invalid token \"%s\"".
>>
>> Is there any special reason for this, other than the fact that it was
>> the easy way out? I think it would be reasonable to for example log
>> "hostssl not supported on this platform" instead of that, when USE_SSL
>> is not defined, etc.
>
> Without actually looking at what you're considering, I think it could be
> a security bug if you were to disclose all the details to the user.
> Perhaps the details can be passed to errdetail_log() to avoid this
> problem.
This is during pg_hba parsing. E.g. at server start or config reload. It
doesn't run in the context of a user connection.
//Magnus