Home > mailing lists

Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL - Mailing list pgsql-bugs

From	Andres Freund
Subject	Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
Date	October 25, 2016 17:45:33
Msg-id	20161025144511.jedknmw7xjgxa5pf@alap3.anarazel.de Whole thread Raw
In response to	BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL (balaji.chithambaram@capitalone.com)
Responses	Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
List	pgsql-bugs

Tree view

On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
> We can enforce on our client setup sslmode=verify-ca or
> verify-full.

I guess you meant "can't" not "can"?


> How can we make sure sslmode=prefer either checks the
> certificate and establish ssl connection or not to try setting up ssl
> connection.

That's a nonsensical configuration, you can't.


> Let me ask in another way, is it possible to block sslmode=prefer from
> any clients on the server configuration like postgresql.conf or
> pg_hba.conf or in any other place.

No. Client configuration can't be enforced on the serverside. Random
client libraries can do whatever they want.


Andres

pgsql-bugs by date:

From: Andres Freund
Date: 25 October 2016, 17:21:32
Subject: Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL

From: "Chithambaram, Balaji (CONT)"
Date: 25 October 2016, 17:52:27
Subject: Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL

Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL - Mailing list pgsql-bugs

Previous

Next