Participants
Yang Zhang
Yang Zhang
Adrian Klaver
Adrian Klaver
Scott Marlowe
Scott Marlowe
Attachments
Show all attachments
Thread Outline
#1...#3
Yang ZhangAdrian Klaver
Apr 06, 2011
#1Yang ZhangYang Zhang
Apr 06, 2011
#2Adrian KlaverAdrian Klaverto Yang Zhang (#1)
Apr 06, 2011
#3Yang ZhangYang Zhangto Adrian Klaver (#2)
Apr 06, 2011
#4...#6
Adrian KlaverYang Zhang
to Yang Zhang (#3)
Apr 06, 2011
#4Adrian KlaverAdrian Klaverto Yang Zhang (#3)
Apr 06, 2011
#6Yang ZhangYang Zhangto Adrian Klaver (#4)
Apr 07, 2011
#5...#9
Scott MarloweYang ZhangAdrian Klaver
to Yang Zhang (#3)
Apr 06, 2011
#5Scott MarloweScott Marloweto Yang Zhang (#3)
Apr 06, 2011
#7Yang ZhangYang Zhangto Scott Marlowe (#5)
Apr 07, 2011
#8Adrian KlaverAdrian Klaverto Yang Zhang (#7)
Apr 07, 2011
#9Yang ZhangYang Zhangto Adrian Klaver (#8)
Apr 07, 2011

Preventing accidental non-SSL connections in psql?

Started by Yang Zhangabout 15 years ago9 messagesgeneral
Jump to latest
#1Yang Zhang
Yang Zhang
yanghatespam@gmail.com

How do I prevent accidental non-SSL connections (at least to specific
hosts) when connecting via psql? Is there any configuration for this?
Thanks.

#2Adrian Klaver
Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Yang Zhang (#1)
Re: Preventing accidental non-SSL connections in psql?

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific
hosts) when connecting via psql? Is there any configuration for this?
Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html
hostssl
http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html
sslmode

--
Adrian Klaver
adrian.klaver@gmail.com

#3Yang Zhang
Yang Zhang
yanghatespam@gmail.com
In reply to: Adrian Klaver (#2)
Re: Preventing accidental non-SSL connections in psql?

On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific
hosts) when connecting via psql? Is there any configuration for this?
Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html
hostssl
http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html
sslmode

I'm aware of sslmode and hostssl - the threat model I'm asking about
is the client getting MITM'd because the user forgets to specify `psql
sslmode=verify-full`.

#4Adrian Klaver
Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Yang Zhang (#3)
Re: Preventing accidental non-SSL connections in psql?

On Wednesday, April 06, 2011 4:24:30 pm Yang Zhang wrote:

On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific
hosts) when connecting via psql? Is there any configuration for this?
Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html
hostssl
http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html
sslmode

I'm aware of sslmode and hostssl - the threat model I'm asking about
is the client getting MITM'd because the user forgets to specify `psql
sslmode=verify-full`.

http://www.postgresql.org/docs/9.0/interactive/ssl-tcp.html
17.8.1. Using client certificates

--
Adrian Klaver
adrian.klaver@gmail.com

#5Scott Marlowe
Scott Marlowe
scott.marlowe@gmail.com
In reply to: Yang Zhang (#3)
Re: Preventing accidental non-SSL connections in psql?

On Wed, Apr 6, 2011 at 5:24 PM, Yang Zhang <yanghatespam@gmail.com> wrote:

On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific
hosts) when connecting via psql? Is there any configuration for this?
Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html
hostssl
http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html
sslmode

I'm aware of sslmode and hostssl - the threat model I'm asking about
is the client getting MITM'd because the user forgets to specify `psql
sslmode=verify-full`.

As long as you only have hostssl entries for connections the users
can't connect without ssl.

#6Yang Zhang
Yang Zhang
yanghatespam@gmail.com
In reply to: Adrian Klaver (#4)
Re: Preventing accidental non-SSL connections in psql?

On Wed, Apr 6, 2011 at 4:53 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:

On Wednesday, April 06, 2011 4:24:30 pm Yang Zhang wrote:

On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@gmail.com>
wrote:

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific

hosts) when connecting via psql? Is there any configuration for this?

Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html

hostssl

http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html

sslmode

I'm aware of sslmode and hostssl - the threat model I'm asking about

is the client getting MITM'd because the user forgets to specify `psql

sslmode=verify-full`.

http://www.postgresql.org/docs/9.0/interactive/ssl-tcp.html

17.8.1. Using client certificates

Client certs are only for client authentication; I'm interested in
mandatory server authentication.

#7Yang Zhang
Yang Zhang
yanghatespam@gmail.com
In reply to: Scott Marlowe (#5)
Re: Preventing accidental non-SSL connections in psql?

On Wed, Apr 6, 2011 at 4:57 PM, Scott Marlowe <scott.marlowe@gmail.com> wrote:

On Wed, Apr 6, 2011 at 5:24 PM, Yang Zhang <yanghatespam@gmail.com> wrote:

On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific
hosts) when connecting via psql? Is there any configuration for this?
Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html
hostssl
http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html
sslmode

I'm aware of sslmode and hostssl - the threat model I'm asking about
is the client getting MITM'd because the user forgets to specify `psql
sslmode=verify-full`.

As long as you only have hostssl entries for connections the users
can't connect without ssl.

hostssl is a server-side policy; I'm interested in setting up my
client with mandatory server authentication.

#8Adrian Klaver
Adrian Klaver
adrian.klaver@aklaver.com
In reply to: Yang Zhang (#7)
Re: Preventing accidental non-SSL connections in psql?

On Wednesday, April 06, 2011 5:21:23 pm Yang Zhang wrote:

On Wed, Apr 6, 2011 at 4:57 PM, Scott Marlowe <scott.marlowe@gmail.com> wrote:

On Wed, Apr 6, 2011 at 5:24 PM, Yang Zhang <yanghatespam@gmail.com> wrote:

On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@gmail.com>

wrote:

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific
hosts) when connecting via psql? Is there any configuration for this?
Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html
hostssl
http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html
sslmode

I'm aware of sslmode and hostssl - the threat model I'm asking about
is the client getting MITM'd because the user forgets to specify `psql
sslmode=verify-full`.

As long as you only have hostssl entries for connections the users
can't connect without ssl.

hostssl is a server-side policy; I'm interested in setting up my
client with mandatory server authentication.

http://www.postgresql.org/docs/9.0/interactive/libpq-envars.html
PGSSLMODE behaves the same as the sslmode connection parameter.

Now you have both ends and the middle:)
--
Adrian Klaver
adrian.klaver@gmail.com

#9Yang Zhang
Yang Zhang
yanghatespam@gmail.com
In reply to: Adrian Klaver (#8)
Re: Preventing accidental non-SSL connections in psql?

On Wed, Apr 6, 2011 at 6:18 PM, Adrian Klaver <adrian.klaver@gmail.com> wrote:

On Wednesday, April 06, 2011 5:21:23 pm Yang Zhang wrote:

On Wed, Apr 6, 2011 at 4:57 PM, Scott Marlowe <scott.marlowe@gmail.com>
wrote:

On Wed, Apr 6, 2011 at 5:24 PM, Yang Zhang <yanghatespam@gmail.com>
wrote:

On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@gmail.com>
wrote:

On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote:

How do I prevent accidental non-SSL connections (at least to specific

hosts) when connecting via psql? Is there any configuration for this?

Thanks.

http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html

hostssl

http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html

sslmode

I'm aware of sslmode and hostssl - the threat model I'm asking about

is the client getting MITM'd because the user forgets to specify `psql

sslmode=verify-full`.

As long as you only have hostssl entries for connections the users

can't connect without ssl.

hostssl is a server-side policy; I'm interested in setting up my

client with mandatory server authentication.

http://www.postgresql.org/docs/9.0/interactive/libpq-envars.html

PGSSLMODE behaves the same as the sslmode connection parameter.

Now you have both ends and the middle:)

Thanks, exactly what I was looking for.

← Back to Topics