| From: | "Chithambaram, Balaji (CONT)" <Balaji(dot)Chithambaram(at)capitalone(dot)com> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | "pgsql-bugs(at)postgresql(dot)org" <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL |
| Date: | 2016-10-25 15:04:03 |
| Message-ID: | CY1P103MB0042671996279F4D6B47206F9FA80@CY1P103MB0042.NAMP103.PROD.OUTLOOK.COM |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
We can enforce on our client setup sslmode=verify-ca or verify-full. [ I was trying to make a statement that we can do this ].
Problem I see , sslmode=prefer is not checking for certificate and if you go the logs on server side or psql client prompt, it is saying established SSL connection with protocols and so on . Documentation says sslmode=prefer is the default client setup and we are using 9.5 clients. So if we make sslmode=prefer to check for certificate or if we block ssl connection itself while setting up sslmode=prefer any one of those would help us and trying to see solution on that angle.
-----Original Message-----
From: Andres Freund [mailto:andres(at)anarazel(dot)de]
Sent: Tuesday, October 25, 2016 10:45 AM
To: Chithambaram, Balaji (CONT) <Balaji(dot)Chithambaram(at)capitalone(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: [BUGS] BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
> We can enforce on our client setup sslmode=verify-ca or verify-full.
I guess you meant "can't" not "can"?
> How can we make sure sslmode=prefer either checks the certificate and
> establish ssl connection or not to try setting up ssl connection.
That's a nonsensical configuration, you can't.
> Let me ask in another way, is it possible to block sslmode=prefer from
> any clients on the server configuration like postgresql.conf or
> pg_hba.conf or in any other place.
No. Client configuration can't be enforced on the serverside. Random client libraries can do whatever they want.
Andres
________________________________________________________
The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sandeep Thakkar | 2016-10-25 16:03:06 | Compilation of timezone source with zic fails (on mountpoint) |
| Previous Message | Andres Freund | 2016-10-25 14:45:11 | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL |