Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
| От | Chithambaram, Balaji (CONT) |
|---|---|
| Тема | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL |
| Дата | |
| Msg-id | CY1P103MB00423B6A12425236BA7891F89FA80@CY1P103MB0042.NAMP103.PROD.OUTLOOK.COM обсуждение исходный текст |
| Ответ на | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL (Andres Freund <andres@anarazel.de>) |
| Список | pgsql-bugs |
We can enforce on our client setup sslmode=3Dverify-ca or verify-full. How = can we make sure sslmode=3Dprefer either checks the certificate and establi= sh ssl connection or not to try setting up ssl connection. Let me ask in another way, is it possible to block sslmode=3Dprefer from a= ny clients on the server configuration like postgresql.conf or pg_hba.conf = or in any other place. Thanks, Balaji CT -----Original Message----- From: Andres Freund [mailto:andres@anarazel.de] = Sent: Tuesday, October 25, 2016 10:21 AM To: Chithambaram, Balaji (CONT) <Balaji.Chithambaram@capitalone.com> Cc: pgsql-bugs@postgresql.org Subject: Re: [BUGS] BUG #14395: sslmode=3Dprefer not checking for certifica= te and allows connection as SSL On 2016-10-25 13:50:16 +0000, balaji.chithambaram@capitalone.com wrote: > The following bug has been logged on the website: > = > Bug reference: 14395 > Logged by: Balaji Chithambaram > Email address: balaji.chithambaram@capitalone.com > PostgreSQL version: 9.5.4 > Operating system: Red Hat Enterprise Linux Server release 6.8 > Description: = > = > When we use default client method sslmode=3Dprefer expected behaviour is = > to try ssl connection by validating the certificate and then if it = > doesn't go for non-SSL connection. But sslmode=3Dprefer goes to SSL = > connection without checking certificate provided. > = > This gives an option if any servers ip configured for ssl connection = > can be spoofed by with same ip, though we enforced ssl with = > certificate, it can connect with out actual certificate and defeats the p= urpose. If somebody can MITM the connection, they can also fake not supporting SSL.= sslmode=3Dprefer simply isn't an adequate protection against that, and you= need to use sslmode=3Dverify-ca or verify-full. ________________________________________________________ The information contained in this e-mail is confidential and/or proprietary= to Capital One and/or its affiliates and may only be used solely in perfor= mance of work or services for Capital One. The information transmitted here= with is intended only for use by the individual or entity to which it is ad= dressed. If the reader of this message is not the intended recipient, you a= re hereby notified that any review, retransmission, dissemination, distribu= tion, copying or other use of, or taking of any action in reliance upon thi= s information is strictly prohibited. If you have received this communicati= on in error, please contact the sender and delete the material from your co= mputer.
В списке pgsql-bugs по дате отправления: