using ssl some of the time

From: Charles Hornberger <charlie(at)hss(dot)caltech(dot)edu>
To: pgsql-admin(at)postgresql(dot)org
Subject: using ssl some of the time
Date: 2003-07-22 23:09:43
Message-ID: 3F1DC437.2080104@hss.caltech.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

I'm having a bit of trouble understanding exactly how SSL-encrypted
connections are supposed to work -- and specifically whether it's
possible to "use SSL some of the time."

Here's what I want to do:

1) I want one of my web servers to be able to connect to the database
without the overhead of SSL (it connects as an unprivileged user who
just does SELECTs).

2) I want to allow connections from another machine -- also a web server
-- ONLY if they're encrypted with SSL (users with the ability to
INSERT/UPDATE will be connecting with passwords via a web/db interface
hosted on this machine).

It seems to me that I can't do both. If I turn on the 'ssl=true' option
in $PGDATA/postgresql.conf, then connections from psql at least are
_always_ encrypted, no matter what's in pg_hba.conf.

For the record, here's what's in pg_hba.conf (notably, there's no
hostssl entry):

local all all trust
host all all 127.0.0.1 255.255.255.255 trust

And here's what happens when I connect with psql:

[economex] charlie/$ psql -h 127.0.0.1 template1
Welcome to psql 7.3.1, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit

SSL connection (cipher: EDH-RSA-DES-CBC3-SHA, bits: 168)

template1=> \q

... which looks encrypted to me.

Am I right in interpreting this to mean that I either have to use SSL
all the time or none of the time? I'm especially tempted to believe
this might be the case after seeing this item in the "Clients" section
of http://developer.postgresql.org/todo.php:

- Allow SSL-enabled clients to turn off SSL transfers

Does that mean that, if SSL is enabled for the postmaster, the client
will always be forced to use SSL? Or is there something I need to do to
force the client to NOT use SSL?

Thanks,
Charlie

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Reece Hart 2003-07-23 00:40:01 slow table updates
Previous Message Andrew Sullivan 2003-07-22 22:42:17 Re: Replication/Failover/HA solution