Hi, there.
Firstly, as this is my first post on a PgSQL ML, I hope this ML is the
good one for my question.
I'm trying to secure further some PgSQL servers and am reading
documentation about libpq sslmode option. I have a question about that:
as I understand the internals of this option, the difference between
verify-ca and verify-full is that, for verify-full, client will compare
the hostname the server gave and the one in the SSL certificate, and
will give up if these two values differ. Am I right up to now?
If I'm right, I feel like the extra security of verify-full compared to
verify-ca is merely a smoke screen because, as far as I know, nothing
prevents a crafted server to read the certificate's hostname and give
this one as its own, and the libpq shouldn't show a better MitM
protection with verify-full than with verify-ca. If I'm wrong, where am
I wrong? How does libpq verify the server's name? Reverse DNS? Other
mean?
Hoping someone can enlighten me about this,
Regards.
--
David Guyot
Administrateur système, réseau et télécom / Sysadmin
Europe Camions Interactive / Stockway
Moulin Collot
F-88500 Ambacourt
03 29 30 47 85
