| From: | "Peter J(dot) Holzer" <hjp-pgsql(at)hjp(dot)at> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: SSL/TLS encryption without |
| Date: | 2022-11-01 17:55:13 |
| Message-ID: | 20221101175513.7h6dheacyqdxq6sw@hjp.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 2022-11-01 11:13:01 -0500, Ron wrote:
> sides=> select * from pg_stat_ssl where pid = 362;
> -[ RECORD 1 ]-+----------------------------
> pid | 362
> ssl | t
> version | TLSv1.2
> cipher | ECDHE-RSA-AES256-GCM-SHA384
> bits | 256
> compression | f
> client_dn |
> client_serial |
> issuer_dn |
>
> I've got 85 connections where ssl='t'. How can connections be encrypted
> using SSL/TLS without a client certificate?
Given that you probably never generated a client certificate for your
browser: How could HTTPS work?
The certificates are used for authentication, not for encryption. The
public key(s) included in the certificates may be used during key
exchange, but there are key exchange algorithms which don't need that
(in fact I think ECDHE is one of them) at all, and even those that do
need only one key, so it is sufficient that only the server has a
certificate.
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp(at)hjp(dot)at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bryn Llewellyn | 2022-11-01 20:20:42 | Re: Putting the O/S user for "local" "peer" authentication in the "postgres" group vs chmod'ing the "pg*.conf" files to be readable by "all" |
| Previous Message | Karsten Hilbert | 2022-11-01 16:15:01 | Aw: Re: Putting the O/S user for "local" "peer" authentication in the "postgres" group vs chmod'ing the "pg*.conf" files to be readable by "all" |