Re: Information of pg_stat_ssl visible to all users

On Jun 9, 2015 6:00 AM, "Michael Paquier" <michael(dot)paquier(at)gmail(dot)com> wrote:
>
> Hi all,
>
> I should have noticed that before, but it happens that pg_stat_ssl
> leaks information about the SSL status of all the users connected to a
> server. Let's imagine for example:
> 1) Session 1 connected through SSL with a superuser:
> =# create role toto login;
> CREATE ROLE
> =# select * from pg_stat_ssl;
> pid | ssl | version | cipher | bits |
> compression | clientdn
>
-------+-----+---------+-----------------------------+------+-------------+----------
> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
|
> (1 row)
> 2) New session 2 with previously created user:
> => select * from pg_stat_ssl;
> pid | ssl | version | cipher | bits |
> compression | clientdn
>
-------+-----+---------+-----------------------------+------+-------------+----------
> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
|
> 33367 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
|
> (2 rows)
>
> Attached is a patch to mask those values to users that should not have
> access to it, similarly to the other fields of pg_stat_activity.

I don't have the thread around right now (on phone), but didn't we discuss
this back around the original submission and decide that this was wanted
behavior?

What actual sensitive data is leaked? If knowing the cipher type makes it
easier to hack you have a broken cipher, don't you?

/Magnus