Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL

On 2016-10-25 13:50:16 +0000, balaji.chithambaram@capitalone.com wrote:
> The following bug has been logged on the website:
>
> Bug reference:      14395
> Logged by:          Balaji Chithambaram
> Email address:      balaji.chithambaram@capitalone.com
> PostgreSQL version: 9.5.4
> Operating system:   Red Hat Enterprise Linux Server release 6.8
> Description:
>
> When we use default client method sslmode=prefer expected behaviour is to
> try ssl connection by validating the certificate and then if it doesn't go
> for non-SSL connection. But sslmode=prefer goes to SSL connection without
> checking certificate provided.
>
> This gives an option if any servers ip configured for ssl connection can be
> spoofed by with same ip, though we enforced ssl with certificate, it can
> connect with out actual certificate and defeats the purpose.

If somebody can MITM the connection, they can also fake not supporting
SSL. sslmode=prefer simply isn't an adequate protection against that,
and you need to use sslmode=verify-ca or verify-full.