On Sat, 11 Dec 2004, Andrew M wrote:
> so the best I can do at the moment, in terms of ssl on postgresql via
> JDBC, is to use an unauthenticated connection!? Is man in the middle a
> real concern, as the data in the tables will be encrypted?
No, it's not unauthenticed. We authenticate the server certificate, but
not a client certificate. This is exactly like browsing to a https
website. You validate the server's certificate, checking that they are
who they say they are, but you don't send the web server a client
certificate. This means the web server, or in our case the postgresql
server, cannot verify that you are who you say are from the ssl connection
alone, but there are other means of doing this, like a password.
Kris Jurka
