| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | "Chithambaram, Balaji (CONT)" <Balaji(dot)Chithambaram(at)capitalone(dot)com> |
| Cc: | "pgsql-bugs(at)postgresql(dot)org" <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL |
| Date: | 2016-10-25 14:45:11 |
| Message-ID: | 20161025144511.jedknmw7xjgxa5pf@alap3.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
> We can enforce on our client setup sslmode=verify-ca or
> verify-full.
I guess you meant "can't" not "can"?
> How can we make sure sslmode=prefer either checks the
> certificate and establish ssl connection or not to try setting up ssl
> connection.
That's a nonsensical configuration, you can't.
> Let me ask in another way, is it possible to block sslmode=prefer from
> any clients on the server configuration like postgresql.conf or
> pg_hba.conf or in any other place.
No. Client configuration can't be enforced on the serverside. Random
client libraries can do whatever they want.
Andres
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chithambaram, Balaji (CONT) | 2016-10-25 15:04:03 | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL |
| Previous Message | Chithambaram, Balaji (CONT) | 2016-10-25 14:41:34 | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL |