On Mon, Apr 25, 2011 at 12:52 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> A recent complaint in pgsql-novice revealed that if you have say
>
> hostssl all all 127.0.0.1/32 md5 clientcert=1
>
> in pg_hba.conf, but you forget to enable SSL in postgresql.conf,
> you get something like this:
>
> LOG: client certificates can only be checked if a root certificate store is available
> HINT: Make sure the root.crt file is present and readable.
> CONTEXT: line 82 of configuration file "/home/tgl/version90/data/pg_hba.conf"
> LOG: client certificates can only be checked if a root certificate store is available
> HINT: Make sure the root.crt file is present and readable.
> CONTEXT: line 84 of configuration file "/home/tgl/version90/data/pg_hba.conf"
> FATAL: could not load pg_hba.conf
>
> Needless to say, this is pretty unhelpful, especially if you actually do
> have a root.crt file.
>
> I'm inclined to think that the correct fix is to make parse_hba_line,
> where it first realizes the line is "hostssl", check not only that SSL
> support is compiled but that it's turned on. Is it really sensible to
> allow hostssl lines in pg_hba.conf when SSL is turned off? At best
> they are no-ops, and at worst they're going to result in weird failures
> like this one.
It's not clear to me what behavior you are proposing. Would we
disregard the hostssl line or treat it as an error?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company