Re: sslmode verify-ca and verify-full: essentialy the same?

On Tue, Jan 27, 2015 at 2:29 PM, David Guyot <
david(dot)guyot(at)europecamions-interactive(dot)com> wrote:

> Hi, there.
>
> Firstly, as this is my first post on a PgSQL ML, I hope this ML is the
> good one for my question.
>
> I'm trying to secure further some PgSQL servers and am reading
> documentation about libpq sslmode option. I have a question about that:
> as I understand the internals of this option, the difference between
> verify-ca and verify-full is that, for verify-full, client will compare
> the hostname the server gave and the one in the SSL certificate, and
> will give up if these two values differ. Am I right up to now?
>

Almost correct. It will compare the hostname that the client used (in the
connection string) with the hostname in the SSL certificate, and give up if
the two values differ.

The server does not give the client a hostname at any point (other than the
CN of the certificate).

If I'm right, I feel like the extra security of verify-full compared to
> verify-ca is merely a smoke screen because, as far as I know, nothing
> prevents a crafted server to read the certificate's hostname and give
> this one as its own, and the libpq shouldn't show a better MitM
> protection with verify-full than with verify-ca. If I'm wrong, where am
> I wrong? How does libpq verify the server's name? Reverse DNS? Other
> mean?
>

libpq uses the hostname that you specify in the connection string (or in an
environment variable, or however you end up specifying it).

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/