Skip site navigation (1) Skip section navigation (2)

Re: Spoofing as the postmaster

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Mike Rylander <mrylander(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl>
Subject: Re: Spoofing as the postmaster
Date: 2007-12-24 16:50:30
Message-ID: 200712241650.lBOGoUp11258@momjian.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Mike Rylander wrote:
> On Dec 22, 2007 1:04 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> > > Wouldn't SSL work over Unix-domain sockets as well?  The API only deals with
> > > file descriptors.
> >
> > Hmm ... we've always thought of SSL as being primarily comm security
> > and thus useless on a Unix socket, but the mutual authentication aspect
> > could come in handy as an answer for this type of threat.  Anyone want
> > to try this and see if it really works or not?
> >
> > Does OpenSSL have a mode where it only does mutual auth and not
> > encryption?  The encryption would be wasted cycles in this scenario,
> > so being able to turn it off would be nice.
> >
> 
> miker(at)whirly:~$ openssl ciphers -v  'NULL'
> NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
> NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
> 
> I see no way to turn off the message digest, but maybe that's just an
> added benefit.

So if we set ssl_ciphers in postgresql.conf to:

	ssl_ciphers = 'NULL-SHA:NULL-MD5'

then SSL does client and server machine authentication with no
encryption overhead?

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

In response to

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2007-12-24 17:35:54
Subject: Re: Spoofing as the postmaster
Previous:From: Mark MielkeDate: 2007-12-24 16:21:46
Subject: Re: Spoofing as the postmaster

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group