Skip site navigation (1) Skip section navigation (2)

Re: SSL over Unix-domain sockets

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SSL over Unix-domain sockets
Date: 2008-01-04 17:47:15
Message-ID: 477E7123.9010707@hagander.net (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Bruce Momjian wrote:
> Peter Eisentraut wrote:
>> Am Freitag, 4. Januar 2008 schrieb Bruce Momjian:
>>> Peter Eisentraut wrote:
>>>> Using the attached patch, SSL will act over Unix-domain sockets.  AFAICT,
>>>> this just works.  I didn't find a way to sniff a Unix-domain socket,
>>>> however.
>>>>
>>>> How should we proceed with this?
>>> I am confused by the shortness of this patch.  Right now pg_hba.conf
>>> has:
>>>
>>> 	# host       DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
>>> 	# hostssl    DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
>>> 	# hostnossl  DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTION]
>>>
>>> These are all for TCP connections.  How do we handle 'local' SSL
>>> connection specification?  Do we want to provide similar functionality
>>> for local connections?
>> Yes, we might want to add that as well.  That and some documentation updates 
>> would probably cover everything.
> 
> OK.  Right now the documentation about spoofing says to use directory
> permissions for the socket, and that works.  I am thinking this is
> something for 8.4.

Actually, if you just commit that patch *without* pg_hba modifications,
it still solves the problem stated, no? Because the client can be
configured to require ssl and to require server certificate validation,
and that's the hole we're trying to plug here...

//Magnus

In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2008-01-04 17:57:28
Subject: Re: SSL over Unix-domain sockets
Previous:From: Bruce MomjianDate: 2008-01-04 17:37:37
Subject: Re: SSL over Unix-domain sockets

pgsql-patches by date

Next:From: Bruce MomjianDate: 2008-01-04 17:57:28
Subject: Re: SSL over Unix-domain sockets
Previous:From: Bruce MomjianDate: 2008-01-04 17:37:37
Subject: Re: SSL over Unix-domain sockets

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group