| From: | David Guyot <david(dot)guyot(at)europecamions-interactive(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: sslmode verify-ca and verify-full: essentialy the same? |
| Date: | 2015-01-27 13:55:56 |
| Message-ID: | 1422366956.18392.48.camel@Antares.europecamions-interactive.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Ah! So there was my error! Should be good to explain this in the
official libpq documentation, don't you think? If I correctly read, the
connection string as source of the hostname isn't explicit, there is
only the mention that libpq will check that the responding server is
“the one I specify”. Once I know that it means “the one I specify in the
connection string”, it's all clear, but, IMHO, there's still a doubt
when you don't know what that does mean.
Anyway, thanks for your help, Magnus.
Regards.
Le mardi 27 janvier 2015 à 14:37 +0100, Magnus Hagander a écrit :
> On Tue, Jan 27, 2015 at 2:29 PM, David Guyot
> <david(dot)guyot(at)europecamions-interactive(dot)com> wrote:
> Hi, there.
>
> Firstly, as this is my first post on a PgSQL ML, I hope this
> ML is the
> good one for my question.
>
> I'm trying to secure further some PgSQL servers and am reading
> documentation about libpq sslmode option. I have a question
> about that:
> as I understand the internals of this option, the difference
> between
> verify-ca and verify-full is that, for verify-full, client
> will compare
> the hostname the server gave and the one in the SSL
> certificate, and
> will give up if these two values differ. Am I right up to
> now?
>
>
> Almost correct. It will compare the hostname that the client used (in
> the connection string) with the hostname in the SSL certificate, and
> give up if the two values differ.
>
>
> The server does not give the client a hostname at any point (other
> than the CN of the certificate).
>
>
>
>
> If I'm right, I feel like the extra security of verify-full
> compared to
> verify-ca is merely a smoke screen because, as far as I know,
> nothing
> prevents a crafted server to read the certificate's hostname
> and give
> this one as its own, and the libpq shouldn't show a better
> MitM
> protection with verify-full than with verify-ca. If I'm wrong,
> where am
> I wrong? How does libpq verify the server's name? Reverse DNS?
> Other
> mean?
>
>
> libpq uses the hostname that you specify in the connection string (or
> in an environment variable, or however you end up specifying it).
>
>
>
>
> --
> Magnus Hagander
> Me: http://www.hagander.net/
> Work: http://www.redpill-linpro.com/
--
David Guyot
Administrateur système, réseau et télécom / Sysadmin
Europe Camions Interactive / Stockway
Moulin Collot
F-88500 Ambacourt
03 29 30 47 85
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2015-01-27 14:52:36 | Re: |
| Previous Message | Magnus Hagander | 2015-01-27 13:37:20 | Re: sslmode verify-ca and verify-full: essentialy the same? |