Home > mailing lists

Re: Direct SSL connection with ALPN and HBA rules - Mailing list pgsql-hackers

From	Jacob Champion
Subject	Re: Direct SSL connection with ALPN and HBA rules
Date	May 13 19:45:27
Msg-id	CAOYmi+kPCxEr62+dGGUOEbzJc4qOfNAPc_v+=3yc0gzTZyEdCw@mail.gmail.com Whole thread Raw
In response to	Re: Direct SSL connection with ALPN and HBA rules (Robert Haas <robertmhaas@gmail.com>)
Responses	Re: Direct SSL connection with ALPN and HBA rules
List	pgsql-hackers

Tree view

(There's, uh, a lot to respond to above and I'm trying to figure out
how best to type up all of it.)

On Mon, May 13, 2024 at 9:13 AM Robert Haas <robertmhaas@gmail.com> wrote:
> However,
> I disagree with Jacob's assertion that sslmode=require has no security
> benefits over sslmode=prefer.

For the record, I didn't say that... You mean Jelte's quote up above?:

> sslmode=prefer and sslmode=require
> are the same amount of insecure imho (i.e. extremely insecure).

I agree that requiring passive security is tangibly better than
allowing fallback to plaintext. I think Jelte's point might be better
stated as, =prefer and =require give the same amount of protection
against active attack (none).

--Jacob

pgsql-hackers by date:

From: Dagfinn Ilmari Mannsåker
Date: 13 May, 19:35:42
Subject: Re: Allowing additional commas between columns, and at the end of the SELECT clause

From: Alvaro Herrera
Date: 13 May, 19:45:40
Subject: Re: cataloguing NOT NULL constraints

Re: Direct SSL connection with ALPN and HBA rules - Mailing list pgsql-hackers

Previous

Next