On Mon, Nov 20, 2006 at 10:30:31PM -0500, Tom Lane wrote: > "Sergio" <sergio.cinos@xxxxxxxxx> writes: > > I see a strange behaviour using root.crt. PostgreSQL always waits a > > client certificate to check agains root.crt. But I set up a > > 'hostnossl' auth line un pg_hba.conf, PostgreSQL still wants a client > > certificate. > > No, not really. The problem is that in the default PGSSLMODE=prefer > behavior, libpq tries an SSL connection first. It's prepared to retry > with a non-SSL connection if it gets a rejection from the server ... > but if OpenSSL fails to establish the connection, it just dies > immediately. It is possible to continue communicating after SSL negotiation failure. If SSL_accept/connect return 0, that means the negotiation failed cleanly and in theory libpq could continue in non-SSL mode. I think long term this would be the nicest solution (no double connections) but it's probably more complicated then looping around again after SSL failure. Have a nice day, -- Martijn van Oosterhout <kleptog@xxxxxxxxx> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to litigate.
Attachment:
signature.asc
Description: Digital signature
