Postgres Pro
Downloads
Home   >   mailing lists

Re: SSL/TLS encryption without - Mailing list pgsql-general

From Peter J. Holzer
Subject Re: SSL/TLS encryption without
Date
Msg-id 20221101175513.7h6dheacyqdxq6sw@hjp.at
Whole thread Raw
In response to SSL/TLS encryption without  (Ron <ronljohnsonjr@gmail.com>)
List pgsql-general
Tree view 
On 2022-11-01 11:13:01 -0500, Ron wrote:
> sides=> select * from pg_stat_ssl where pid = 362;
> -[ RECORD 1 ]-+----------------------------
> pid           | 362
> ssl           | t
> version       | TLSv1.2
> cipher        | ECDHE-RSA-AES256-GCM-SHA384
> bits          | 256
> compression   | f
> client_dn     |
> client_serial |
> issuer_dn     |
>
> I've got 85 connections where ssl='t'. How can connections be encrypted
> using SSL/TLS without a client certificate?

Given that you probably never generated a client certificate for your
browser: How could HTTPS work?

The certificates are used for authentication, not for encryption. The
public key(s) included in the certificates may be used during key
exchange, but there are key exchange algorithms which don't need that
(in fact I think ECDHE is one of them) at all, and even those that do
need only one key, so it is sufficient that only the server has a
certificate.

        hp

--
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"
Attachment

pgsql-general by date:

Previous
From: Karsten Hilbert
Date:
Subject: Aw: Re: Putting the O/S user for "local" "peer" authentication in the "postgres" group vs chmod'ing the "pg*.conf" files to be readable by "all"
Next
From: Bryn Llewellyn
Date:
Subject: Re: Putting the O/S user for "local" "peer" authentication in the "postgres" group vs chmod'ing the "pg*.conf" files to be readable by "all"