From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Jakob Egger <jakob(at)eggerapps(dot)at>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: sslmode=require fallback |
Date: | 2016-07-15 08:14:36 |
Message-ID: | CABUevEy5f=gedCpe93p9Hk1qRfEzDtbXyMgvkp=z31xfO0Auqw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Jul 15, 2016 at 5:10 AM, Peter Eisentraut <
peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> On 7/13/16 4:11 PM, Robert Haas wrote:
> > On Thu, Jun 16, 2016 at 3:42 AM, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> >> You would think so.
> >>
> >> The default mode of "prefer" is ridiculous in a lot of ways. If you are
> >> using SSL in any shape or form you should simply not use "prefer".
> That's
> >> really the only answer at this point, unfortunately.
> >
> > Suppose we changed the default to "require". How crazy would that be?
>
> If we think that that is appropriate, should we not also change the
> default pg_hba.conf to hostssl lines?
>
> I'm not convinced either of these would go over well.
>
It would actually, IMO, make more sense to change the default pg_hba lines
and not change the client settings... But I'm not sure either of those
would go over well.
>
> The original complaint was not actually that "prefer" is a bad default,
> but that in the presence of a root certificate on the client, a
> certificate validation failure falls back to plain text. That seems
> like a design flaw of the "prefer" mode, no matter whether it is the
> default or not.
>
The entire "prefer" mode is a design flaw, that we unfortunately picked as
default mode.
If it fails *for any reason*, it falls back to plaintext. Thus, you have to
assume it will make a plaintext connection. Thus, it gives you zero
guarantees, so it serves no actual purpose from a security perspective.
it will equally fall back on incompatible SSL configs. Or on a network
hiccup. The presence of the certificate is just one of many different
scenarios where it will fall back.
If you care about encryption, you should pick something else
(require/verify). If you don't care about encryption, you should pick
something else (allow, probably) so as not to pay unnecessary overhead.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2016-07-15 08:28:15 | Re: One process per session lack of sharing |
Previous Message | Noah Misch | 2016-07-15 06:42:18 | Re: BUG #14245: Segfault on weird to_tsquery |