Re: Spoofing as the postmaster
| От | Bruce Momjian |
|---|---|
| Тема | Re: Spoofing as the postmaster |
| Дата | |
| Msg-id | 200712241650.lBOGoUp11258@momjian.us обсуждение исходный текст |
| Ответ на | Re: Spoofing as the postmaster ("Mike Rylander" <mrylander@gmail.com>) |
| Список | pgsql-hackers |
Mike Rylander wrote: > On Dec 22, 2007 1:04 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Peter Eisentraut <peter_e@gmx.net> writes: > > > Wouldn't SSL work over Unix-domain sockets as well? The API only deals with > > > file descriptors. > > > > Hmm ... we've always thought of SSL as being primarily comm security > > and thus useless on a Unix socket, but the mutual authentication aspect > > could come in handy as an answer for this type of threat. Anyone want > > to try this and see if it really works or not? > > > > Does OpenSSL have a mode where it only does mutual auth and not > > encryption? The encryption would be wasted cycles in this scenario, > > so being able to turn it off would be nice. > > > > miker@whirly:~$ openssl ciphers -v 'NULL' > NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 > NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 > > I see no way to turn off the message digest, but maybe that's just an > added benefit. So if we set ssl_ciphers in postgresql.conf to: ssl_ciphers = 'NULL-SHA:NULL-MD5' then SSL does client and server machine authentication with no encryption overhead? -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
В списке pgsql-hackers по дате отправления: