On Sun, Dec 05, 2004 at 11:02:33AM -0800, Steve Atkins wrote:
> On Sun, Dec 05, 2004 at 11:27:57AM -0700, Michael Fuhr wrote:
> >
> > You can use psql to check if SSL is working. Psql prints a message
> > like the following if SSL was successfully negotiated:
> >
> > SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
>
> I tend to fire up ethereal and look at the data stream to make absolutely
> sure that my app is doing SSL to postgresql.
Doesn't hurt to be sure.
> I've been burnt once or twice by the libpq my app uses not negotiating
> SSL correctly while the version of libpq that psql uses being just
> fine (dumb build problems on my part, but I'd probably have missed
> them without the sanity check of sniffing the connection).
On the backend side you can force SSL by using "hostssl" in
pg_hba.conf; connections that don't use SSL should then fail instead
of silently proceeding unencrypted. On the client side you could
set the PGSSLMODE environment variable to "require" (or the older
PGREQUIRESSL to "1"), which should tell libpq to attempt only SSL
connections.
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
