We can enforce on our client setup sslmode=3Dverify-ca or verify-full. How =
can we make sure sslmode=3Dprefer either checks the certificate and establi=
sh ssl connection or not to try setting up ssl connection.
Let me ask in another way, is it possible to block sslmode=3Dprefer from a=
ny clients on the server configuration like postgresql.conf or pg_hba.conf =
or in any other place.
Thanks,
Balaji CT
-----Original Message-----
From: Andres Freund [mailto:andres@anarazel.de] =
Sent: Tuesday, October 25, 2016 10:21 AM
To: Chithambaram, Balaji (CONT) <Balaji.Chithambaram@capitalone.com>
Cc: pgsql-bugs@postgresql.org
Subject: Re: [BUGS] BUG #14395: sslmode=3Dprefer not checking for certifica=
te and allows connection as SSL
On 2016-10-25 13:50:16 +0000, balaji.chithambaram@capitalone.com wrote:
> The following bug has been logged on the website:
> =
> Bug reference: 14395
> Logged by: Balaji Chithambaram
> Email address: balaji.chithambaram@capitalone.com
> PostgreSQL version: 9.5.4
> Operating system: Red Hat Enterprise Linux Server release 6.8
> Description: =
> =
> When we use default client method sslmode=3Dprefer expected behaviour is =
> to try ssl connection by validating the certificate and then if it =
> doesn't go for non-SSL connection. But sslmode=3Dprefer goes to SSL =
> connection without checking certificate provided.
> =
> This gives an option if any servers ip configured for ssl connection =
> can be spoofed by with same ip, though we enforced ssl with =
> certificate, it can connect with out actual certificate and defeats the p=
urpose.
If somebody can MITM the connection, they can also fake not supporting SSL.=
sslmode=3Dprefer simply isn't an adequate protection against that, and you=
need to use sslmode=3Dverify-ca or verify-full.
________________________________________________________
The information contained in this e-mail is confidential and/or proprietary=
to Capital One and/or its affiliates and may only be used solely in perfor=
mance of work or services for Capital One. The information transmitted here=
with is intended only for use by the individual or entity to which it is ad=
dressed. If the reader of this message is not the intended recipient, you a=
re hereby notified that any review, retransmission, dissemination, distribu=
tion, copying or other use of, or taking of any action in reliance upon thi=
s information is strictly prohibited. If you have received this communicati=
on in error, please contact the sender and delete the material from your co=
mputer.