Home > mailing lists

Re: proper pg_hba config to require ssl from non-local/private ips - Mailing list pgsql-admin

From	Scott Ribe
Subject	Re: proper pg_hba config to require ssl from non-local/private ips
Date	October 19, 2022 19:41:41
Msg-id	E7513C58-F643-41B0-9EFD-EA8455B36553@elevated-dev.com Whole thread Raw
In response to	Re: proper pg_hba config to require ssl from non-local/private ips (Matthew Lenz <mlenz@nocturnal.org>)
List	pgsql-admin

Tree view

> On Oct 19, 2022, at 10:29 AM, Matthew Lenz <mlenz@nocturnal.org> wrote:
>
> I didn't say the client was meant to enforce it.  I meant the server should be enforcing it (it's not).

Doesn't really make sense for the server to determine client verification of server certificate.

1) Server controls what certificate is provided, thus has control over what CA is used.

2) What would it mean for server to turn OFF client verification? Server is allowed to say "here's my cert, doesn't
matterthat it's using a bogus CA, you take it regardless of your local settings"???

pgsql-admin by date:

From: Jeff Janes
Date: 19 October 2022, 19:36:55
Subject: Re: proper pg_hba config to require ssl from non-local/private ips

From: Jeff Janes
Date: 19 October 2022, 19:51:45
Subject: Re: proper pg_hba config to require ssl from non-local/private ips

Re: proper pg_hba config to require ssl from non-local/private ips - Mailing list pgsql-admin

Previous

Next