BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
The following bug has been logged on the website:
Bug reference: 14395
Logged by: Balaji Chithambaram
Email address: balaji.chithambaram@capitalone.com
PostgreSQL version: 9.5.4
Operating system: Red Hat Enterprise Linux Server release 6.8
Description:
When we use default client method sslmode=prefer expected behaviour is to
try ssl connection by validating the certificate and then if it doesn't go
for non-SSL connection. But sslmode=prefer goes to SSL connection without
checking certificate provided.
This gives an option if any servers ip configured for ssl connection can be
spoofed by with same ip, though we enforced ssl with certificate, it can
connect with out actual certificate and defeats the purpose.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
On 2016-10-25 13:50:16 +0000, balaji.chithambaram@capitalone.com wrote:
The following bug has been logged on the website:
Bug reference: 14395
Logged by: Balaji Chithambaram
Email address: balaji.chithambaram@capitalone.com
PostgreSQL version: 9.5.4
Operating system: Red Hat Enterprise Linux Server release 6.8
Description:When we use default client method sslmode=prefer expected behaviour is to
try ssl connection by validating the certificate and then if it doesn't go
for non-SSL connection. But sslmode=prefer goes to SSL connection without
checking certificate provided.This gives an option if any servers ip configured for ssl connection can be
spoofed by with same ip, though we enforced ssl with certificate, it can
connect with out actual certificate and defeats the purpose.
If somebody can MITM the connection, they can also fake not supporting
SSL. sslmode=prefer simply isn't an adequate protection against that,
and you need to use sslmode=verify-ca or verify-full.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
We can enforce on our client setup sslmode=verify-ca or verify-full. How can we make sure sslmode=prefer either checks the certificate and establish ssl connection or not to try setting up ssl connection.
Let me ask in another way, is it possible to block sslmode=prefer from any clients on the server configuration like postgresql.conf or pg_hba.conf or in any other place.
Thanks,
Balaji CT
-----Original Message-----
From: Andres Freund [mailto:andres@anarazel.de]
Sent: Tuesday, October 25, 2016 10:21 AM
To: Chithambaram, Balaji (CONT) <Balaji.Chithambaram@capitalone.com>
Cc: pgsql-bugs@postgresql.org
Subject: Re: [BUGS] BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
On 2016-10-25 13:50:16 +0000, balaji.chithambaram@capitalone.com wrote:
The following bug has been logged on the website:
Bug reference: 14395
Logged by: Balaji Chithambaram
Email address: balaji.chithambaram@capitalone.com
PostgreSQL version: 9.5.4
Operating system: Red Hat Enterprise Linux Server release 6.8
Description:When we use default client method sslmode=prefer expected behaviour is
to try ssl connection by validating the certificate and then if it
doesn't go for non-SSL connection. But sslmode=prefer goes to SSL
connection without checking certificate provided.This gives an option if any servers ip configured for ssl connection
can be spoofed by with same ip, though we enforced ssl with
certificate, it can connect with out actual certificate and defeats the purpose.
If somebody can MITM the connection, they can also fake not supporting SSL. sslmode=prefer simply isn't an adequate protection against that, and you need to use sslmode=verify-ca or verify-full.
________________________________________________________
The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
We can enforce on our client setup sslmode=verify-ca or
verify-full.
I guess you meant "can't" not "can"?
How can we make sure sslmode=prefer either checks the
certificate and establish ssl connection or not to try setting up ssl
connection.
That's a nonsensical configuration, you can't.
Let me ask in another way, is it possible to block sslmode=prefer from
any clients on the server configuration like postgresql.conf or
pg_hba.conf or in any other place.
No. Client configuration can't be enforced on the serverside. Random
client libraries can do whatever they want.
Andres
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
We can enforce on our client setup sslmode=verify-ca or verify-full. [ I was trying to make a statement that we can do this ].
Problem I see , sslmode=prefer is not checking for certificate and if you go the logs on server side or psql client prompt, it is saying established SSL connection with protocols and so on . Documentation says sslmode=prefer is the default client setup and we are using 9.5 clients. So if we make sslmode=prefer to check for certificate or if we block ssl connection itself while setting up sslmode=prefer any one of those would help us and trying to see solution on that angle.
-----Original Message-----
From: Andres Freund [mailto:andres@anarazel.de]
Sent: Tuesday, October 25, 2016 10:45 AM
To: Chithambaram, Balaji (CONT) <Balaji.Chithambaram@capitalone.com>
Cc: pgsql-bugs@postgresql.org
Subject: Re: [BUGS] BUG #14395: sslmode=prefer not checking for certificate and allows connection as SSL
On 2016-10-25 14:41:34 +0000, Chithambaram, Balaji (CONT) wrote:
We can enforce on our client setup sslmode=verify-ca or verify-full.
I guess you meant "can't" not "can"?
How can we make sure sslmode=prefer either checks the certificate and
establish ssl connection or not to try setting up ssl connection.
That's a nonsensical configuration, you can't.
Let me ask in another way, is it possible to block sslmode=prefer from
any clients on the server configuration like postgresql.conf or
pg_hba.conf or in any other place.
No. Client configuration can't be enforced on the serverside. Random client libraries can do whatever they want.
Andres
________________________________________________________
The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs