Skip site navigation (1) Skip section navigation (2)

Re: [pgsql-hackers-win32] More SSL questions..

From: Oliver Jowett <oliver(at)opencloud(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Magnus Hagander <mha(at)sollentuna(dot)net>,Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>,"T(dot)J(dot)" <tjtoocool(at)phreaker(dot)net>, pgsql-bugs(at)postgresql(dot)org,pgsql-hackers-win32(at)postgresql(dot)org
Subject: Re: [pgsql-hackers-win32] More SSL questions..
Date: 2005-01-05 22:20:19
Message-ID: 41DC6823.7080506@opencloud.com (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-hackers-win32
Tom Lane wrote:

> BTW, as of CVS tip, if the server has a root.crt file and the client
> does not have any certificate files, the default behavior is that
> connections fail:
> 
> $ psql -h localhost regression
> psql: could not open certificate file "/home/tgl/.postgresql/postgresql.crt": No such file or directory
> $
> 
> I'm not sure if this is desirable.  Should libpq try to fall back to a
> non-SSL-encrypted connection, instead?

Only if the server certificate validates, otherwise an active attacker 
could intercept the SSL connection to force libpq to fall back to 
non-SSL and then intercept the unencrypted/unauthenticated connection. 
Does openssl lets you detect a "server cert OK but no suitable client 
cert provided" error easily?

-O

In response to

Responses

pgsql-bugs by date

Next:From: Bruce MomjianDate: 2005-01-05 22:25:19
Subject: Re: More SSL questions..
Previous:From: Tom LaneDate: 2005-01-05 21:44:12
Subject: Re: [pgsql-hackers-win32] More SSL questions..

pgsql-hackers-win32 by date

Next:From: Bruce MomjianDate: 2005-01-05 22:25:19
Subject: Re: More SSL questions..
Previous:From: Tom LaneDate: 2005-01-05 21:44:12
Subject: Re: [pgsql-hackers-win32] More SSL questions..

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group