Re: SSL confirmation

From: Michael Fuhr <mike(at)fuhr(dot)org>
To: Steve Atkins <steve(at)blighty(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: SSL confirmation
Date: 2004-12-05 19:27:33
Message-ID: 20041205192733.GA4596@winnie.fuhr.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-jdbc

On Sun, Dec 05, 2004 at 11:02:33AM -0800, Steve Atkins wrote:
> On Sun, Dec 05, 2004 at 11:27:57AM -0700, Michael Fuhr wrote:
> >
> > You can use psql to check if SSL is working. Psql prints a message
> > like the following if SSL was successfully negotiated:
> >
> > SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
>
> I tend to fire up ethereal and look at the data stream to make absolutely
> sure that my app is doing SSL to postgresql.

Doesn't hurt to be sure.

> I've been burnt once or twice by the libpq my app uses not negotiating
> SSL correctly while the version of libpq that psql uses being just
> fine (dumb build problems on my part, but I'd probably have missed
> them without the sanity check of sniffing the connection).

On the backend side you can force SSL by using "hostssl" in
pg_hba.conf; connections that don't use SSL should then fail instead
of silently proceeding unencrypted. On the client side you could
set the PGSSLMODE environment variable to "require" (or the older
PGREQUIRESSL to "1"), which should tell libpq to attempt only SSL
connections.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2004-12-05 19:36:40 Re: Index bloat in 7.2
Previous Message Steve Atkins 2004-12-05 19:02:33 Re: SSL confirmation

Browse pgsql-jdbc by date

  From Date Subject
Next Message Chris White (cjwhite) 2004-12-05 19:36:20 Re: Use of bytea
Previous Message Chris White (cjwhite) 2004-12-05 19:24:20 Re: Use of bytea