Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL - Mailing list pgsql-bugs

From Chithambaram, Balaji (CONT)
Subject Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
Date
Msg-id CY1P103MB00423B6A12425236BA7891F89FA80@CY1P103MB0042.NAMP103.PROD.OUTLOOK.COM
Whole thread Raw
In response to Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL  (Andres Freund <andres@anarazel.de>)
List pgsql-bugs
Tree view 
We can enforce on our client setup sslmode=3Dverify-ca or verify-full. How =
can we make sure sslmode=3Dprefer either checks the certificate and establi=
sh ssl connection or not to try setting up ssl connection.

Let me ask in another  way, is it possible to block sslmode=3Dprefer from a=
ny clients on the server configuration like postgresql.conf or pg_hba.conf =
or in any other place.

Thanks,
Balaji CT

-----Original Message-----
From: Andres Freund [mailto:andres@anarazel.de] =

Sent: Tuesday, October 25, 2016 10:21 AM
To: Chithambaram, Balaji (CONT) <Balaji.Chithambaram@capitalone.com>
Cc: pgsql-bugs@postgresql.org
Subject: Re: [BUGS] BUG #14395: sslmode=3Dprefer not checking for certifica=
te and allows connection as SSL

On 2016-10-25 13:50:16 +0000, balaji.chithambaram@capitalone.com wrote:
> The following bug has been logged on the website:
> =

> Bug reference:      14395
> Logged by:          Balaji Chithambaram
> Email address:      balaji.chithambaram@capitalone.com
> PostgreSQL version: 9.5.4
> Operating system:   Red Hat Enterprise Linux Server release 6.8
> Description:        =

> =

> When we use default client method sslmode=3Dprefer expected behaviour is =

> to try ssl connection by validating the certificate and then if it =

> doesn't go for non-SSL connection. But sslmode=3Dprefer goes to SSL =

> connection without checking certificate provided.
> =

> This gives an option if any servers ip configured for ssl connection =

> can be spoofed by with same ip, though we enforced ssl with =

> certificate, it can connect with out actual certificate and defeats the p=
urpose.

If somebody can MITM the connection, they can also fake not supporting SSL.=
 sslmode=3Dprefer simply isn't an adequate protection against that, and you=
 need to use sslmode=3Dverify-ca or verify-full.

________________________________________________________

The information contained in this e-mail is confidential and/or proprietary=
 to Capital One and/or its affiliates and may only be used solely in perfor=
mance of work or services for Capital One. The information transmitted here=
with is intended only for use by the individual or entity to which it is ad=
dressed. If the reader of this message is not the intended recipient, you a=
re hereby notified that any review, retransmission, dissemination, distribu=
tion, copying or other use of, or taking of any action in reliance upon thi=
s information is strictly prohibited. If you have received this communicati=
on in error, please contact the sender and delete the material from your co=
mputer.

pgsql-bugs by date:

Previous
From: Andres Freund
Date:
Subject: Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
Next
From: "Chithambaram, Balaji (CONT)"
Date:
Subject: Re: BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL