| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | Rob Sargent <robjsargent(at)gmail(dot)com>, "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: localhost ssl |
| Date: | 2021-01-22 19:15:03 |
| Message-ID: | 1ca17e3b-14de-69ff-5f0b-4082376571ca@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 1/22/21 11:04 AM, Rob Sargent wrote:
>
> I will need to enforce ssl/tls in my production environment so I thought
> I would try setting things up on localhost to see how that went.
>
> Then I noticed that my successful connections from
> "/usr/lib/postgresql/12/bin/psql -U postgres -h localhost -P pager=off
> postgres" report:
>
> psql (12.5 (Ubuntu 12.5-0ubuntu0.20.04.1))
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384,
> bits: 256, compression: off)
> Type "help" for help.
>
> though my pg_hba.conf does not specify SSL at all
Yes it does(implied):
https://www.postgresql.org/docs/12/auth-pg-hba-conf.html
"host
This record matches connection attempts made using TCP/IP. host
records match SSL or non-SSL connection attempts as well as GSSAPI
encrypted or non-GSSAPI encrypted connection attempts."
Also I'm guessing you have ssl = on in postgresql.conf and server cert
setup.
If you want to enforce SSL then:
"
hostssl
This record matches connection attempts made using TCP/IP, but only
when the connection is made with SSL encryption.
To make use of this option the server must be built with SSL
support. Furthermore, SSL must be enabled by setting the ssl
configuration parameter (see Section 18.9 for more information).
Otherwise, the hostssl record is ignored except for logging a warning
that it cannot match any connections.
"
Read below for more information:
https://www.postgresql.org/docs/12/ssl-tcp.html
>
> # Database administrative login by Unix domain socket
>
> local all postgres peer
>
>
> # TYPE DATABASE USER ADDRESS METHOD
>
> # "local" is for Unix domain socket connections only
>
> local all all peer
>
> # IPv4 local connections:
>
> host all all 127.0.0.1/32 md5
>
> host all all 127.0.1.1/32 md5
>
> # IPv6 local connections:
>
> host all all ::1/128 md5
>
>
> So to the questions:
> 1. Am I already getting encrypted connections and if so, how?
> 2. In production I hope to name the role with each connection as I want
> the search_path set by the connecting role. Will I need a cert per role
> with CN=<rolename>?
>
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rob Sargent | 2021-01-22 19:49:32 | Re: localhost ssl |
| Previous Message | Rob Sargent | 2021-01-22 19:04:13 | localhost ssl |