Re: proper pg_hba config to require ssl from non-local/private ips

From: Scott Ribe <scott_ribe(at)elevated-dev(dot)com>
To: Matthew Lenz <mlenz(at)nocturnal(dot)org>
Cc: pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org>
Subject: Re: proper pg_hba config to require ssl from non-local/private ips
Date: 2022-10-19 16:41:41
Message-ID: E7513C58-F643-41B0-9EFD-EA8455B36553@elevated-dev.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

> On Oct 19, 2022, at 10:29 AM, Matthew Lenz <mlenz(at)nocturnal(dot)org> wrote:
>
> I didn't say the client was meant to enforce it. I meant the server should be enforcing it (it's not).

Doesn't really make sense for the server to determine client verification of server certificate.

1) Server controls what certificate is provided, thus has control over what CA is used.

2) What would it mean for server to turn OFF client verification? Server is allowed to say "here's my cert, doesn't matter that it's using a bogus CA, you take it regardless of your local settings"???

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Jeff Janes 2022-10-19 16:51:45 Re: proper pg_hba config to require ssl from non-local/private ips
Previous Message Jeff Janes 2022-10-19 16:36:55 Re: proper pg_hba config to require ssl from non-local/private ips