Re: SSL and MD5 passwords - Mailing list pgsql-admin

From Albe Laurenz
Subject Re: SSL and MD5 passwords
Date
Msg-id A737B7A37273E048B164557ADEF4A58B3660EFF7@ntex2010i.host.magwien.gv.at
Whole thread Raw
In response to SSL and MD5 passwords  (Nathan Aherne <nathan@reddog.com.au>)
List pgsql-admin
Nathan Aherne wrote:
> We would like to use SSL to secure data transmission between our app server and postgres server as
> they are both on the public internet. We cannot use SSH tunnels as our infrastructure doesn’t allow
> it. Using client SSL keys poses a number of structural issues for us as well.
> 
> Instead we would like to use MD5 Username/Password to authenticate to Postgres while having postgres
> encrypt the data transfer via SSL (forced). Is this possible? If so:

Yes, this is possible, we do it all the time.

> 1. are there any issues with doing things this way?
> 2. we have configured pg_hba.conf with hostssl and md5 clientcert=0 but cannot seem to get the correct
> connection string combination. Could someone point me in the correct direction.

There is no option "clientcert=0" for the md5 authentication method.
Just remove that and everything should work fine.

What client do you use to connect?

If you connect with libpq, you can add "sslmode=require" to the connection string, but
this is not necessary, since "sslmode=prefer" is default, and that will try SSL first.

Yours,
Laurenz Albe

pgsql-admin by date:

Previous
From: Nathan Aherne
Date:
Subject: SSL and MD5 passwords
Next
From: Robert Burgholzer
Date:
Subject: Timestamp Shifts when calling to_timestamp(extract (epoch from timestamp))