From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Zeus Kronion <zkronion(at)gmail(dot)com> |
Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Possible SSL improvements for a newcomer to tackle |
Date: | 2017-10-03 04:35:06 |
Message-ID: | CAB7nPqTmvycm2QyJjfM_0E-43iS565LLWiT9GD7n-geTcHkBqw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Oct 3, 2017 at 1:15 PM, Zeus Kronion <zkronion(at)gmail(dot)com> wrote:
> I previously made one minuscule contribution to the project two years ago.
> I'm interested in doing some more, and I'm trying to figure out what to
> focus on. Two SSL-related projects caught my attention:
> 1) Allow automatic selection of SSL client certificates from a certificate
> store (https://www.postgresql.org/message-id/8766.1241799013@sss.pgh.pa.us).
> It seems relatively straightforward to support an additional file format for
> key-value pairs in postgresql.crt/.key, and I think this is something I
> could take on if it's still desired.
> 2) I was surprised to learn the following from the docs:
One other thing that could be improved, and that has been already
asked for is improvement for passphrase handling, particularly since
SSL parameters can be reloaded, by adding for example a new GUC
parameter that calls a shell command which outputs what is wanted to
stdout. It could be tricky to implement as the postmaster should be
able to handle requests when launching the command. But I think you
get the idea.
>> By default, PostgreSQL will not perform any verification of the server
>> certificate. This means that it is possible to spoof the server identity
>> (for example by modifying a DNS record or by taking over the server IP
>> address) without the client knowing. In order to prevent spoofing, SSL
>> certificate verification must be used.
>
> Is there a technical reason to perform no verification by default? Wouldn't
> a safer default be desirable?
It would be nice to get into a stronger default with "require" at
least, the recommendation is to use at least "verify-ca" for any
serious deployment. Note that not long ago there were arguments about
how the default value of sslmode called 'prefer' is good at giving a
false sense of security, but this led nowhere (can't put my hands on
this thread now..).
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Tatsuo Ishii | 2017-10-03 05:01:03 | Re: Conversion error |
Previous Message | Tom Lane | 2017-10-03 04:33:00 | Re: Possible SSL improvements for a newcomer to tackle |