We can enforce on our client setup sslmode=3Dverify-ca or verify-full. [ I =
was trying to make a statement that we can do this ].
Problem I see , sslmode=3Dprefer is not checking for certificate and if you=
go the logs on server side or psql client prompt, it is saying established=
SSL connection with protocols and so on . Documentation says sslmode=3Dpre=
fer is the default client setup and we are using 9.5 clients. So if we mak=
e sslmode=3Dprefer to check for certificate or if we block ssl connection i=
tself while setting up sslmode=3Dprefer any one of those would help us and =
trying to see solution on that angle.
-----Original Message-----
From: Andres Freund [mailto:andres@anarazel.de] =
Sent: Tuesday, October 25, 2016 10:45 AM
To: Chithambaram, Balaji (CONT) <Balaji.Chithambaram@capitalone.com>
Cc: pgsql-bugs@postgresql.org
Subject: Re: [BUGS] BUG #14395: sslmode=3Dprefer not checking for certifica=
te and allows connection as SSL
On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
> We can enforce on our client setup sslmode=3Dverify-ca or verify-full.
I guess you meant "can't" not "can"?
> How can we make sure sslmode=3Dprefer either checks the certificate and =
> establish ssl connection or not to try setting up ssl connection.
That's a nonsensical configuration, you can't.
> Let me ask in another way, is it possible to block sslmode=3Dprefer from =
> any clients on the server configuration like postgresql.conf or =
> pg_hba.conf or in any other place.
No. Client configuration can't be enforced on the serverside. Random client=
libraries can do whatever they want.
Andres
________________________________________________________
The information contained in this e-mail is confidential and/or proprietary=
to Capital One and/or its affiliates and may only be used solely in perfor=
mance of work or services for Capital One. The information transmitted here=
with is intended only for use by the individual or entity to which it is ad=
dressed. If the reader of this message is not the intended recipient, you a=
re hereby notified that any review, retransmission, dissemination, distribu=
tion, copying or other use of, or taking of any action in reliance upon thi=
s information is strictly prohibited. If you have received this communicati=
on in error, please contact the sender and delete the material from your co=
mputer.