Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL

We can enforce on our client setup sslmode=verify-ca or verify-full. How can we make sure sslmode=prefer either checks the certificate and establish ssl connection or not to try setting up ssl connection.

Let me ask in another way, is it possible to block sslmode=prefer from any clients on the server configuration like postgresql.conf or pg_hba.conf or in any other place.

Thanks,
Balaji CT

-----Original Message-----
From: Andres Freund [mailto:andres(at)anarazel(dot)de]
Sent: Tuesday, October 25, 2016 10:21 AM
To: Chithambaram, Balaji (CONT) <Balaji(dot)Chithambaram(at)capitalone(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: [BUGS] BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL

On 2016-10-25 13:50:16 +0000, balaji(dot)chithambaram(at)capitalone(dot)com wrote:
> The following bug has been logged on the website:
>
> Bug reference: 14395
> Logged by: Balaji Chithambaram
> Email address: balaji(dot)chithambaram(at)capitalone(dot)com
> PostgreSQL version: 9.5.4
> Operating system: Red Hat Enterprise Linux Server release 6.8
> Description:
>
> When we use default client method sslmode=prefer expected behaviour is
> to try ssl connection by validating the certificate and then if it
> doesn't go for non-SSL connection. But sslmode=prefer goes to SSL
> connection without checking certificate provided.
>
> This gives an option if any servers ip configured for ssl connection
> can be spoofed by with same ip, though we enforced ssl with
> certificate, it can connect with out actual certificate and defeats the purpose.

If somebody can MITM the connection, they can also fake not supporting SSL. sslmode=prefer simply isn't an adequate protection against that, and you need to use sslmode=verify-ca or verify-full.

________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.