Skip site navigation (1) Skip section navigation (2)

Re: [pgsql-hackers-win32] More SSL questions..

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Oliver Jowett <oliver(at)opencloud(dot)com>
Cc: Magnus Hagander <mha(at)sollentuna(dot)net>,Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>,"T(dot)J(dot)" <tjtoocool(at)phreaker(dot)net>, pgsql-bugs(at)postgresql(dot)org,pgsql-hackers-win32(at)postgresql(dot)org
Subject: Re: [pgsql-hackers-win32] More SSL questions..
Date: 2005-01-05 22:36:23
Message-ID: 1755.1104964583@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-hackers-win32
Oliver Jowett <oliver(at)opencloud(dot)com> writes:
> Tom Lane wrote:
>> I'm not sure if this is desirable.  Should libpq try to fall back to a
>> non-SSL-encrypted connection, instead?

> Only if the server certificate validates, otherwise an active attacker 
> could intercept the SSL connection to force libpq to fall back to 
> non-SSL and then intercept the unencrypted/unauthenticated connection. 

The problem case is where there are no SSL support files, and so the client
isn't going to be able to validate the server cert anyway.  So the above
doesn't seem real helpful...

Basically my point here is that the default "prefer" SSL mode
effectively becomes "require" if the server has a root.crt.

			regards, tom lane

In response to

Responses

pgsql-bugs by date

Next:From: Oliver JowettDate: 2005-01-05 23:02:58
Subject: Re: [pgsql-hackers-win32] More SSL questions..
Previous:From: Bruce MomjianDate: 2005-01-05 22:25:19
Subject: Re: More SSL questions..

pgsql-hackers-win32 by date

Next:From: Andrew DunstanDate: 2005-01-05 22:39:59
Subject: Re: [BUGS] More SSL questions..
Previous:From: Matthew T. O'ConnorDate: 2005-01-05 22:30:48
Subject: Re: [BUGS] More SSL questions..

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group