On Tue, Jun 9, 2015 at 3:27 PM, Magnus Hagander <magnus@hagander.net> wrote:
>
> On Jun 9, 2015 6:00 AM, "Michael Paquier" <michael.paquier@gmail.com> wrote:
>>
>> Hi all,
>>
>> I should have noticed that before, but it happens that pg_stat_ssl
>> leaks information about the SSL status of all the users connected to a
>> server. Let's imagine for example:
>> 1) Session 1 connected through SSL with a superuser:
>> =# create role toto login;
>> CREATE ROLE
>> =# select * from pg_stat_ssl;
>> pid | ssl | version | cipher | bits |
>> compression | clientdn
>>
>> -------+-----+---------+-----------------------------+------+-------------+----------
>> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> (1 row)
>> 2) New session 2 with previously created user:
>> => select * from pg_stat_ssl;
>> pid | ssl | version | cipher | bits |
>> compression | clientdn
>>
>> -------+-----+---------+-----------------------------+------+-------------+----------
>> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> 33367 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t
>> |
>> (2 rows)
>>
>> Attached is a patch to mask those values to users that should not have
>> access to it, similarly to the other fields of pg_stat_activity.
>
> I don't have the thread around right now (on phone), but didn't we discuss
> this back around the original submission and decide that this was wanted
> behavior?
Looking back at this thread, it is mentioned here:
http://www.postgresql.org/message-id/31891.1405175764@sss.pgh.pa.us
> What actual sensitive data is leaked? If knowing the cipher type makes it
> easier to hack you have a broken cipher, don't you?
I am just wondering if it is a good idea to let other users know the
origin of a connection to all the users. Let's imagine the case where
for example the same user name is used for non-SSL and SSL sessions.
This could give a hint of the activity on the server..
However, feel free to ignore those concerns if you think the current
situation is fine...
--
Michael
