| From: | "Mike Rylander" <mrylander(at)gmail(dot)com> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Peter Eisentraut" <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, "Bruce Momjian" <bruce(at)momjian(dot)us>, "Tomasz Ostrowski" <tometzky(at)batory(dot)org(dot)pl> |
| Subject: | Re: Spoofing as the postmaster |
| Date: | 2007-12-22 18:51:39 |
| Message-ID: | b918cf3d0712221051o5afb9e00v559fcc95e81996ae@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Dec 22, 2007 1:04 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> > Wouldn't SSL work over Unix-domain sockets as well? The API only deals with
> > file descriptors.
>
> Hmm ... we've always thought of SSL as being primarily comm security
> and thus useless on a Unix socket, but the mutual authentication aspect
> could come in handy as an answer for this type of threat. Anyone want
> to try this and see if it really works or not?
>
> Does OpenSSL have a mode where it only does mutual auth and not
> encryption? The encryption would be wasted cycles in this scenario,
> so being able to turn it off would be nice.
>
miker(at)whirly:~$ openssl ciphers -v 'NULL'
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
I see no way to turn off the message digest, but maybe that's just an
added benefit.
--miker
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marko Kreen | 2007-12-22 19:03:54 | Re: Spoofing as the postmaster |
| Previous Message | Tom Lane | 2007-12-22 18:04:47 | Re: Spoofing as the postmaster |