On Fri, July 27, 2007 04:20, Albe Laurenz wrote: > > This is more a philosophical question. > > If you only allow hostssl connections in pg_hba.conf AND forbid > all host connections (with one last 'reject' line), PostgreSQL > will reject all connections that are not via SSL. > > If your "security compliance team" does not trust PostgreSQL to > enforce that, they'll probably have a very bad feeling about PostgreSQL > in general - why then should they trust a log entry that PostgreSQL > writes? > Because configuration files can be expected to be modified over time and having an explicit log entry tells one what modes were in effect for a specific connection at the time, whatever the configuration file says now. It is not confidence in the software but in the diligence of the system administrator (me) that is at question for the audit team. In any case, I personally like these sort of direct confidence log entries. I feel that it makes for easier configuration changes as often you quickly can see the consequence when you have done something stupid. I think that if the maintainers decide it worth doing at all, and I simply do not have the time to bring myself up to speed on the code base of a project the size of postgresql to do it myself, then such a feature would be best added as a new special value (%e) option for log_line_prefix. # %e = connection encryption strength (none/ssl-256/ssl-512 etc.) Which again raises a question that I posed earlier: Is there any benefit to increasing the key size for a host connection from 256 and, if so, how is this done? Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to majordomo@xxxxxxxxxxxxxx so that your message can get through to the mailing list cleanly