From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SSL over Unix-domain sockets |
Date: | 2009-03-27 11:49:51 |
Message-ID: | 49CCBD5F.6000702@hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Peter Eisentraut wrote:
> Magnus Hagander wrote:
>>>> Perhaps it's enough to add a "localssl" row to pg_hba.conf?
>>> That defeats the point, I think. You don't want the server to determine
>>> whether the client should verify the server.
>>
>> Good point. OTOH, client behavior can be controlled now fine by setting
>> it to "require" or "prefer" - I think that's enough.
>>
>> However, we might want a simple ssl_local=true/false parameter on the
>> server that turns it on/off completely.
>
> But the choice is that of the client:
>
> 1) I want a connection with server authentication. or
>
> 2) I want a fast connection, I don't care about server authentication.
>
> No configuration knob in the server can ever solve this.
>
> Of course the client has all the sslmode parameters to make its wishes
> known, but the point here is that the *default* should possibly be a
> different one in the case of Unix-domain sockets.
Agreed, except I really don't see why the default should be different.
>>> Another thought I had is to somehow employ hostaddr, as in
>>> "hostaddr=/tmp host=real.hostname.lan".
>>
>> That seems rather abusive.
>
> True, but Kerberos more or less works this way. hostaddr is where to
> connect, host is what to use for authentication.
Yeah, and it has always annoyed me :)
I think it'd be better to just gtet the hostname of the system, and use
that.
>>> Another^2 thought is to just examine the certificate for the local host
>>> name, which the client can find out itself.
>>
>> That could work. In which case we should probably consider doing the
>> same thing for "localhost" or "127.0.0.1" connections.
>
> Hmm, as per my statement above, this would be the right thing to do. But
> I think https works differently. Tricky ...
Yeah, https requires the cert to be named "localhost". It's a smaller
issue on a Unix system since the http/https ports require root to bind
to them, and if somebody is root no amount of SSL is going to help you
anyway...
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2009-03-27 11:56:16 | Re: New trigger option of pg_standby |
Previous Message | Peter Eisentraut | 2009-03-27 11:46:36 | Re: SSL over Unix-domain sockets |