Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Martin Pitt <mpitt(at)debian(dot)org>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-12 07:10:13
Message-ID: 49E193D5.7030509@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Uh, it's not "on" if it's not "on". I'd rather call them "off", "on" and
>> something like "maybe" or "external" or "file". I'd find it very bad if
>> you can say "sslverify=on" and then *not* end up getting it because of
>> some external factor. That needs to be clear in the naming of the value
>> if we go down that path.
>
> I guess you didn't think through the implications of the sslmode
> comment, but: this is all merest self-delusion. If a hostile server is
> trying to fool you, all he needs to do is configure his pg_hba.conf to
> accept your connection in non-SSL mode, and your super duper
> guaranteed-to-work ssl verification doesn't do a thing.
>
> So unless you think you can persuade us to change the default sslmode to
> "require", you're wasting your time making the above argument.

Huh?

When I want a secure connection, I set sslmode=require. The same way I
in a browser make sure I'm running with a https connection. When I have
done this, I expect to have the security of the https protocol. Not just
maybe half of it.

I agree the default shouldn't be "require", because that requires the
server to be configured wit hit. In the on/off scenario, the reasonable
default would be "off".

The same way that imho it would make more sense to have sslverify
default to "off" than to "maybe".

>>> BTW, what in the world prompted us to use "cn" as an allowed value for
>>> sslverify? It looks for all the world like a typo for "on".
>
>> Eh, what would you call it? It enables verification of the cn field in
>> the certificate. Another option I considered was "full", but someone
>> said that was bad - can't recall if that was on-list or off ATM.
>
> I would call it "on", and put the hostname behavior control somewhere
> else. Overloading a security-sensitive parameter's meaning isn't a
> particularly safe design, eh? Especially with a value that people
> can't even read correctly if their eyes are a bit bleary.

How is that overloading it? It says how far you want to take the
verification of the certificate. It's overloading if you try to squeeze
in the "try" or "maybe" or whatever it'd be called setting, but not
until then.

That said, I'd not object at all to changing it to on, but keeping the
ability to set it to "cert" as well - because that's a feature people
asked for, and that makes sense to use.

//Magnus

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Magnus Hagander 2009-04-12 07:10:59 Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Previous Message Bruce Momjian 2009-04-12 01:49:35 Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt