A bit of cleanup after SSL patch. Add it to config file, improve

documentation.

doc/src/sgml/installation.sgml

-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.16 2000/08/29 20:02:07 momjian Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.17 2000/09/06 19:54:45 petere Exp $ -->
 
 <chapter id="installation">
  <title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title>
@@ -354,7 +354,7 @@ su - postgres
          The man pages that come with <productname>PostgreSQL</> will be installed under
          this directory, in their respective
          <filename>man<replaceable>x</></> subdirectories.
-         <filename><replaceable>PREFIX</>/man</>.
+         The default is <filename><replaceable>PREFIX</>/man</>.
         </para>
        </listitem>
       </varlistentry>
@@ -581,15 +581,16 @@ su - postgres
        <term>--with-openssl=<replaceable>DIRECTORY</></term>
        <listitem>
         <para>
-         Build with support for SSL (encrypted) connections. 
-         This requires the OpenSSL library to be installed.
+         Build with support for <acronym>SSL</> (encrypted) connections. 
+         This requires the <productname>OpenSSL</> package to be installed.
          The <replaceable>DIRECTORY</> argument specifies the
-         root directory of the OpenSSL installation.
+         root directory of the <productname>OpenSSL</> installation; the
+         default is <filename>/usr/local/ssl</>.
         </para>
 
         <para>
          <filename>configure</> will check for the required header
-         files and libraries to make sure that your OpenSSL
+         files and libraries to make sure that your <productname>OpenSSL</>
          installation is sufficient before proceeding.
         </para>
        </listitem>
@@ -601,7 +602,7 @@ su - postgres
         <para>
          Enables the <productname>PostgreSQL</> server to use the
          syslog logging facility. (Using this option does not mean
-         that you will have to log with syslog or even that it will be done
+         that you must log with syslog or even that it will be done
          by default, it simply makes it possible to turn this option
          on at run time.)
         </para>

doc/src/sgml/runtime.sgml

 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.23 2000/08/29 20:02:07 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.24 2000/09/06 19:54:45 petere Exp $
 -->
 
 <Chapter Id="runtime">
@@ -941,18 +941,6 @@ env PGOPTIONS='--geqo=off' psql
       </listitem>
      </varlistentry>
 
-     <varlistentry>
-      <term>TCPIP_SOCKET (<type>boolean</type>)</term>
-      <listitem>
-       <para>
-        If this is true, then the server will accept TCP/IP
-        connections. Otherwise only local Unix domain socket
-        connections are accepted. It is off by default. This option
-        can only be set at server start.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry>
       <term>PORT (<type>integer</type>)</term>
       <listitem>
@@ -1005,6 +993,29 @@ env PGOPTIONS='--geqo=off' psql
        </para>
       </listitem>
      </varlistentry>
+
+     <varlistentry>
+      <term>SSL (<type>boolean</type>)</term>
+      <listitem>
+       <para>
+        Enables <acronym>SSL</> connections. Please read
+        <xref linkend="ssl"> before using this. The default
+        is off.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term>TCPIP_SOCKET (<type>boolean</type>)</term>
+      <listitem>
+       <para>
+        If this is true, then the server will accept TCP/IP
+        connections. Otherwise only local Unix domain socket
+        connections are accepted. It is off by default. This option
+        can only be set at server start.
+       </para>
+      </listitem>
+     </varlistentry>
     </variablelist>
    </para>
    </sect2>
@@ -1048,6 +1059,11 @@ env PGOPTIONS='--geqo=off' psql
         <entry>tcpip_socket = on</entry>
         <entry></entry>
        </row>
+       <row>
+        <entry>-l</entry>
+        <entry>ssl = on</entry>
+        <entry></entry>
+       </row>
        <row>
         <entry>-N <replaceable>x</replaceable></entry>
         <entry>max_connections = <replaceable>x</replaceable></entry>
@@ -1726,64 +1742,66 @@ perl: warning: Falling back to the standard locale ("C").
   </para>
  </sect1>
 
- <sect1>
-  <title>Secure TCP/IP Connection with SSL</title>
+ <sect1 id="ssl">
+  <title>Secure TCP/IP Connections with SSL</title>
 
   <para>
-   PostgreSQL has native support for connections over SSL to encrypt
+   <productname>PostgreSQL</> has native support for connections over
+   <acronym>SSL</> to encrypt
    client/server communications for increased security. This requires
    <productname>OpenSSL</productname> to be installed on both client
-   and server systems and support enabled at compile-time using
-   the configure script.
+   and server systems and support enabled at build-time (see <xref
+   linkend="installation">).
   </para>
 
   <para>
-   With SSL support compiled in, the Postgres backend can be 
-   started with argument -l to enable SSL connections. 
-   When starting in SSL mode, the postmaster will look for the 
-   files <filename>server.key</filename> and
-   <filename>server.cert</filename> in the <envar>PGDATA</envar>
-   directory. These files should contain the server private key and
-   certificate respectively. If the private key is protected with a 
-   passphrase, the postmaster will prompt for the passphrase and not 
-   start until it has been provided.
+   With SSL support compiled in, the <productname>PostgreSQL</> server
+   can be started with the argument <option>-l</> (ell) to enable
+   SSL connections. When starting in SSL mode, the postmaster will look
+   for the files <filename>server.key</> and <filename>server.crt</> in
+   the data directory. These files should contain the server private key
+   and certificate respectively. These files must be set up correctly
+   before an SSL-enabled server can start. If the private key is protected
+   with a passphrase, the postmaster will prompt for the passphrase and will
+   not start until it has been provided.
   </para>
 
   <para>
    The postmaster will listen for both standard and SSL connections
    on the same TCP/IP port, and will negotiate with any connecting
-   client wether to use SSL or not. Use the <filename>pg_hba.conf</filename>
-   file to optionally require SSL in order to accept a connection.
+   client wether to use SSL or not. See <xref linkend="client-authentication">
+   about how to force on the server side the use of SSL for certain
+   connections.
   </para>
 
   <para>
    For details on how to create your server private key and certificate,
-   refer to the OpenSSL documentation. A simple self-signed certificate
-   can be used to get started testing, but a certificate signed by a CA
-   (either one of the global CAs or a local one) should be used in 
+   refer to the <productname>OpenSSL</> documentation. A simple self-signed
+   certificate can be used to get started testing, but a certificate signed
+   by a CA (either one of the global CAs or a local one) should be used in 
    production so the client can verify the servers identity. To create
    a quick self-signed certificate, use the <filename>CA.pl</filename>
    script included in OpenSSL:
 <programlisting>
-   CA.pl -newcert
+CA.pl -newcert
 </programlisting>
    Fill out the information the script asks for. Make sure to enter
-   the local hostname as Common Name. The script will generate a key
-   which is passphrase protected. To remove the passphrase (required
+   the local host name as Common Name. The script will generate a key
+   that is passphrase protected. To remove the passphrase (required
    if you want automatic start-up of the postmaster), run the command
 <programlisting>
-   openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
+openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
 </programlisting>
    Enter the old passphrase to unlock the existing key. Copy the file
-   <filename>newreq.pem</filename> to <filename>PGDATA/server.cert</filename>
-   and <filename>newkey_no_passphrase.pem</filename> to 
-   <filename>PGDATA/server.key</filename>. Remove the PRIVATE KEY part
-   from the <filename>server.cert</filename> using any text editor.
+   <filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</>
+   and <filename>newkey_no_passphrase.pem</> to
+   <filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part
+   from the <filename>server.crt</filename> using any text editor.
   </para>
  </sect1>
 
  <sect1>
-  <title>Secure TCP/IP Connection with SSH</title>
+  <title>Secure TCP/IP Connections with SSH tunnels</title>
 
   <note>
    <title>Acknowledgement</title>
@@ -1828,6 +1846,13 @@ psql -h localhost -p 3333 template1
    terminal session.
   </para>
 
+  <tip>
+   <para>
+    Several other products exist that can provide secure tunnels using
+    a procedure similar in concept to the one just described.
+   </para>
+  </tip>
+
  </sect1>
 
 </Chapter>

src/backend/postmaster/postmaster.c

@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.165 2000/09/06 14:15:19 petere Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.166 2000/09/06 19:54:46 petere Exp $
  *
  * NOTES
  *
@@ -193,10 +193,8 @@ static bool Reinit = true;
 static int	SendStop = false;
 
 bool NetServer = false;	/* listen on TCP/IP */
+bool EnableSSL = false;
 
-#ifdef USE_SSL
-static bool DisableSSL = false; /* Completely disable SSL, even if compiled in */
-#endif
 
 static pid_t StartupPID = 0,
 			ShutdownPID = 0;
@@ -452,7 +450,7 @@ PostmasterMain(int argc, char *argv[])
 				break;
 #ifdef USE_SSL
 			case 'l':
- 			        DisableSSL = true;
+			        EnableSSL = true;
 				break;
 #endif
 			case 'm':
@@ -563,13 +561,13 @@ PostmasterMain(int argc, char *argv[])
 	}
 
 #ifdef USE_SSL
-	if (!NetServer && !DisableSSL)
+	if (EnableSSL && !NetServer)
 	{
-		fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections. Use -l to disable SSL\n",
+		fprintf(stderr, "%s: For SSL, TCP/IP connections must be enabled. See -? for help.\n",
 				progname);
 		exit(1);
 	}
-	if (!DisableSSL)
+	if (EnableSSL)
 	        InitSSL();
 #endif
 
@@ -750,9 +748,9 @@ usage(const char *progname)
 	printf("  -d 1-5          debugging level\n");
 	printf("  -D <directory>  database directory\n");
 	printf("  -F              turn fsync off\n");
-	printf("  -i              listen on TCP/IP sockets\n");
+	printf("  -i              enable TCP/IP connections\n");
 #ifdef USE_SSL
-	printf("  -l              disable SSL\n");
+	printf("  -l              enable SSL connections\n");
 #endif
 	printf("  -N <number>     maximum number of allowed connections (1..%d, default %d)\n",
 			MAXBACKENDS, DEF_MAXBACKENDS);
@@ -1060,7 +1058,7 @@ readStartupPacket(void *arg, PacketLen len, void *pkt)
 		char		SSLok;
 
 #ifdef USE_SSL
-                if (DisableSSL || port->laddr.sa.sa_family != AF_INET)
+                if (!EnableSSL || port->laddr.sa.sa_family != AF_INET)
 		        /* No SSL when disabled or on Unix sockets */
    		        SSLok = 'N';
 		else

src/backend/utils/misc/guc.c

@@ -4,7 +4,7 @@
  * Support for grand unified configuration scheme, including SET
  * command, configuration file, and command line options.
  *
- * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.10 2000/08/28 11:57:41 petere Exp $
+ * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.11 2000/09/06 19:54:47 petere Exp $
  *
  * Copyright 2000 by PostgreSQL Global Development Group
  * Written by Peter Eisentraut <peter_e@gmx.net>.
@@ -160,6 +160,7 @@ ConfigureNamesBool[] =
 	{"geqo",                    PGC_USERSET,    &enable_geqo,           true},
 
 	{"tcpip_socket",            PGC_POSTMASTER, &NetServer,             false},
+	{"ssl",                     PGC_POSTMASTER, &EnableSSL,             false},
 	{"fsync",                   PGC_USERSET,    &enableFsync,           true},
 
 	{"log_connections",         PGC_SIGHUP,     &Log_connections,       false},

src/bin/psql/startup.c

@@ -3,7 +3,7 @@
  *
  * Copyright 2000 by PostgreSQL Global Development Group
  *
- * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.35 2000/08/30 14:54:23 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.36 2000/09/06 19:54:48 petere Exp $
  */
 #include "postgres.h"
 
@@ -266,10 +266,11 @@ main(int argc, char *argv[])
 				   "       \\? for help on internal slash commands\n"
 				   "       \\g or terminate with semicolon to execute query\n"
 				   "       \\q to quit\n\n", pset.progname);
-		}
 #ifdef USE_SSL
 			printSSLInfo();
 #endif
+		}
+
 		SetVariable(pset.vars, "PROMPT1", DEFAULT_PROMPT1);
 		SetVariable(pset.vars, "PROMPT2", DEFAULT_PROMPT2);
 		SetVariable(pset.vars, "PROMPT3", DEFAULT_PROMPT3);

src/include/miscadmin.h

@@ -12,7 +12,7 @@
  * Portions Copyright (c) 1996-2000, PostgreSQL, Inc
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $Id: miscadmin.h,v 1.65 2000/09/06 14:15:24 petere Exp $
+ * $Id: miscadmin.h,v 1.66 2000/09/06 19:54:52 petere Exp $
  *
  * NOTES
  *	  some of the information in this file will be moved to
@@ -107,6 +107,7 @@ extern int	SortMem;
    configuration file processor has access to them */
 
 extern bool NetServer;
+extern bool EnableSSL;
 extern int MaxBackends;
 extern int NBuffers;
 extern int PostPortName;