Peter Eisentraut wrote:
> I found an old patch on my disk to enable SSL over Unix-domain sockets.
>
> Remember, about a year ago it was discussed that there might also be
> man-in-the-middle or fake-server attacks using Unix-domain sockets,
> because usually anyone can start a server in /tmp. After an extensive
> discussion (mainly about moving the socket out of /tmp by default;
> please don't start that again), it was determined that using SSL server
> verification would be the proper solution and it fact works without
> problems. Except that the start-up overhead was increased significantly
> (because of the initial key exchange and session key setup etc.).
>
> Back then we didn't really have a good solution, but I figured since 8.4
> rearranges the SSL connection parameters anyway, we could stick that in
> there.
>
> I imagine for example, we could invent an additional sslmode of the sort
> prefer-but-not-if-local-socket, which could be the default.
That parameter is already pretty complex, not sure it's a great idea to
make it even more so :(
Perhaps it's enough to add a "localssl" row to pg_hba.conf?
> The other question is whether sslverify=cn makes sense, but that may be
> up to the user to find out.
Without finding a way to have that make sense, you don't actually fix
the potential MITM problem (at least not in many common scenarios), so I
think that needs to be considered before we put anything in.
//Magnus
