Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
| От | Chithambaram, Balaji (CONT) |
|---|---|
| Тема | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL |
| Дата | |
| Msg-id | CY1P103MB0042671996279F4D6B47206F9FA80@CY1P103MB0042.NAMP103.PROD.OUTLOOK.COM обсуждение исходный текст |
| Ответ на | Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL (Andres Freund <andres@anarazel.de>) |
| Список | pgsql-bugs |
We can enforce on our client setup sslmode=3Dverify-ca or verify-full. [ I = was trying to make a statement that we can do this ]. Problem I see , sslmode=3Dprefer is not checking for certificate and if you= go the logs on server side or psql client prompt, it is saying established= SSL connection with protocols and so on . Documentation says sslmode=3Dpre= fer is the default client setup and we are using 9.5 clients. So if we mak= e sslmode=3Dprefer to check for certificate or if we block ssl connection i= tself while setting up sslmode=3Dprefer any one of those would help us and = trying to see solution on that angle. -----Original Message----- From: Andres Freund [mailto:andres@anarazel.de] = Sent: Tuesday, October 25, 2016 10:45 AM To: Chithambaram, Balaji (CONT) <Balaji.Chithambaram@capitalone.com> Cc: pgsql-bugs@postgresql.org Subject: Re: [BUGS] BUG #14395: sslmode=3Dprefer not checking for certifica= te and allows connection as SSL On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote: > We can enforce on our client setup sslmode=3Dverify-ca or verify-full. I guess you meant "can't" not "can"? > How can we make sure sslmode=3Dprefer either checks the certificate and = > establish ssl connection or not to try setting up ssl connection. That's a nonsensical configuration, you can't. > Let me ask in another way, is it possible to block sslmode=3Dprefer from = > any clients on the server configuration like postgresql.conf or = > pg_hba.conf or in any other place. No. Client configuration can't be enforced on the serverside. Random client= libraries can do whatever they want. Andres ________________________________________________________ The information contained in this e-mail is confidential and/or proprietary= to Capital One and/or its affiliates and may only be used solely in perfor= mance of work or services for Capital One. The information transmitted here= with is intended only for use by the individual or entity to which it is ad= dressed. If the reader of this message is not the intended recipient, you a= re hereby notified that any review, retransmission, dissemination, distribu= tion, copying or other use of, or taking of any action in reliance upon thi= s information is strictly prohibited. If you have received this communicati= on in error, please contact the sender and delete the material from your co= mputer.
В списке pgsql-bugs по дате отправления: