On Fri, May 14, 2021 at 8:58 PM Stephen Frost <sfr...@snowman.net> wrote: > > Greetings, > > * Chapman Flack (c...@anastigmatix.net) wrote: > > If pg_hba syntax changes are being entertained, I would love to be able > > to set ssl_min_protocol_version locally in a hostssl rule. > > > > Some clients at $work are stuck with ancient SSL libraries, but I would > > much rather be able to weaken ssl_min_protocol_version just for them > > than do it globally. > > This (unlike what was actually proposed) does seem like it'd be a useful > improvement. Not sure exaclty how it would work but I'm generally on > board with the idea.
I agree, but I have no idea how you could do that within the current pg_hba.conf. The row is selected by the combination of username/database/ipaddress. But you have to pick the minimum TLS version before the client has sent that... Basically we have to make the choice long before we've even started looking at pg_hba. It would be good to have a way to do it, but I'm not sure pg_hba.conf is the place for it. -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/
