Firstly, as this is my first post on a PgSQL ML, I hope this ML is the good one for my question.
I'm trying to secure further some PgSQL servers and am reading documentation about libpq sslmode option. I have a question about that: as I understand the internals of this option, the difference between verify-ca and verify-full is that, for verify-full, client will compare the hostname the server gave and the one in the SSL certificate, and will give up if these two values differ. Am I right up to now?
Almost correct. It will compare the hostname that the client used (in the connection string) with the hostname in the SSL certificate, and give up if the two values differ.
The server does not give the client a hostname at any point (other than the CN of the certificate).
If I'm right, I feel like the extra security of verify-full compared to verify-ca is merely a smoke screen because, as far as I know, nothing prevents a crafted server to read the certificate's hostname and give this one as its own, and the libpq shouldn't show a better MitM protection with verify-full than with verify-ca. If I'm wrong, where am I wrong? How does libpq verify the server's name? Reverse DNS? Other mean?
libpq uses the hostname that you specify in the connection string (or in an environment variable, or however you end up specifying it).
