sslmode verify-ca and verify-full: essentialy the same? - Mailing list pgsql-general

From David Guyot
Subject sslmode verify-ca and verify-full: essentialy the same?
Date
Msg-id 1422365392.18392.36.camel@Antares.europecamions-interactive.com
Whole thread Raw
Responses Re: sslmode verify-ca and verify-full: essentialy the same?
List pgsql-general
Hi, there.

Firstly, as this is my first post on a PgSQL ML, I hope this ML is the
good one for my question.

I'm trying to secure further some PgSQL servers and am reading
documentation about libpq sslmode option. I have a question about that:
as I understand the internals of this option, the difference between
verify-ca and verify-full is that, for verify-full, client will compare
the hostname the server gave and the one in the SSL certificate, and
will give up if these two values differ. Am I right up to now?

If I'm right, I feel like the extra security of verify-full compared to
verify-ca is merely a smoke screen because, as far as I know, nothing
prevents a crafted server to read the certificate's hostname and give
this one as its own, and the libpq shouldn't show a better MitM
protection with verify-full than with verify-ca. If I'm wrong, where am
I wrong? How does libpq verify the server's name? Reverse DNS? Other
mean?

Hoping someone can enlighten me about this,

Regards.
--
David Guyot
Administrateur système, réseau et télécom / Sysadmin
Europe Camions Interactive / Stockway
Moulin Collot
F-88500 Ambacourt
03 29 30 47 85

Attachment

pgsql-general by date:

Previous
From: Albe Laurenz
Date:
Subject: Re:
Next
From: Thomas Kellerer
Date:
Subject: Re: (unknown)