| From: | Thomas Guyot <tguyot(at)gmail(dot)com> |
|---|---|
| To: | Rejo Oommen <rejo(dot)oommen(at)gmail(dot)com> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Is Client connections via ca.crt only possible? |
| Date: | 2022-08-04 02:22:52 |
| Message-ID: | 2427474d-b5f7-cd8a-c4a9-b6cf36644de0@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 2022-08-03 21:37, Rejo Oommen wrote:
> Thank you for the reply Thomas. I agree with you on the mutual TLS
> that you mentioned.
>
> Here is what I was looking at.
>
> The configurations at the server end will be with auth-method as md5
> and auth-option as clientcert=verify-ca.
>
There's your issue. If you tell the server to validate the client cert,
then it will require the client to provide a valid cert to identify itself.
> In this way, the user's password along with the valid ca should allow
> connections to pass.
>
The ca on your setup is only useful for the client to ensure the server
is the correct one and prevent MITM attacks. This is a client-side
check, not server-side.
The only authentication security here is the password/md5, but protected
from eavesdropping (passive and MITM) and connection hijacking by
encryption, with some of these protections only effective when the
client use the verify-ca option. The server cannot ensure the client is
actually validating the ca, not even that it's taking to the actual
client and not a MITM, simply because the client itself is not
authenticated by mutual TLS.
Regards
--
Thomas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | houzj.fnst@fujitsu.com | 2022-08-04 02:51:59 | RE: Support logical replication of DDLs |
| Previous Message | Julien Rouhaud | 2022-08-04 02:13:18 | Re: Purpose of DEFERRABLE _and_ INITIALLY DEFERRED foreign key constraint checking? |