Re: sslmode=require fallback
| От | Magnus Hagander |
|---|---|
| Тема | Re: sslmode=require fallback |
| Дата | |
| Msg-id | CABUevEy5f=gedCpe93p9Hk1qRfEzDtbXyMgvkp=z31xfO0Auqw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: sslmode=require fallback (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>) |
| Ответы |
Re: sslmode=require fallback
Re: sslmode=require fallback Re: sslmode=require fallback |
| Список | pgsql-hackers |
On Fri, Jul 15, 2016 at 5:10 AM, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
it will equally fall back on incompatible SSL configs. Or on a network hiccup. The presence of the certificate is just one of many different scenarios where it will fall back.
-- On 7/13/16 4:11 PM, Robert Haas wrote:
> On Thu, Jun 16, 2016 at 3:42 AM, Magnus Hagander <magnus@hagander.net> wrote:
>> You would think so.
>>
>> The default mode of "prefer" is ridiculous in a lot of ways. If you are
>> using SSL in any shape or form you should simply not use "prefer". That's
>> really the only answer at this point, unfortunately.
>
> Suppose we changed the default to "require". How crazy would that be?
If we think that that is appropriate, should we not also change the
default pg_hba.conf to hostssl lines?
I'm not convinced either of these would go over well.
It would actually, IMO, make more sense to change the default pg_hba lines and not change the client settings... But I'm not sure either of those would go over well.
The original complaint was not actually that "prefer" is a bad default,
but that in the presence of a root certificate on the client, a
certificate validation failure falls back to plain text. That seems
like a design flaw of the "prefer" mode, no matter whether it is the
default or not.
The entire "prefer" mode is a design flaw, that we unfortunately picked as default mode.
If it fails *for any reason*, it falls back to plaintext. Thus, you have to assume it will make a plaintext connection. Thus, it gives you zero guarantees, so it serves no actual purpose from a security perspective.
it will equally fall back on incompatible SSL configs. Or on a network hiccup. The presence of the certificate is just one of many different scenarios where it will fall back.
If you care about encryption, you should pick something else (require/verify). If you don't care about encryption, you should pick something else (allow, probably) so as not to pay unnecessary overhead.
В списке pgsql-hackers по дате отправления: