ssl connections with psql

Ron Peterson writes:

I've compiled Postgresql-7.1beta5 on two machines, enabling SSL support on
both. Am I correct that if do `psql -h <othermachine>`, that this
connection will be established via ssl? I.E. - that is the default
connection mode, if it is enabled?

Yes.

Then, if I want to allow *only* ssl connections, I replace `host` with
`hostssl` in my pg_hba.conf?

Yes.

--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/

Hi !

I've compiled Postgresql-7.1beta5 on two machines, enabling SSL support

on

both. Am I correct that if do `psql -h <othermachine>`, that this
connection will be established via ssl? I.E. - that is the default
connection mode, if it is enabled?

Yes.

Then, if I want to allow *only* ssl connections, I replace `host` with
`hostssl` in my pg_hba.conf?

Yes.

May I ask what the difference between apache compiled with ssl and
postgresql with ssl is? if there's any...

regards Chris

Christian Marschalek writes:

May I ask what the difference between apache compiled with ssl and
postgresql with ssl is? if there's any...

Apache serves encrypted HTTP connections, PostgreSQL serves encrypted
database connections.

--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/

On Fri, Mar 16, 2001 at 05:58:42PM +0100, Christian Marschalek wrote:

Hi !

Yes.

May I ask what the difference between apache compiled with ssl and
postgresql with ssl is? if there's any...

very easy question that even i can answer.

apache is a web server

postgresql is database server

got it??

ssl is general software layer which lives between some
user level applications and os. you can make almost all
of your run of the mills tcp/ip applications ssl aware.

apache and postgresql being one of those run of the mills
applications they learn how to speak ssl language.

ssl is generally associated with web servers/browsers
because netscape invented it. whether it's good or
bad i'm not sure. i dislike the way netscape marketed
it itself using scare tactics.. nowadays people consider
ssl panacea for network security and i'm sick of getting
clueless client wanting ssl pages for their applications who
don't realize all the risks involved. it's almost always
like buying $10,000 alarm system and leaving the window
open when you left your house. necessity is the source
of inventions, they say. but i often wonder..

well i ment over apache (with php) to a database :o)

Was a misunderstanding on my side :o)

Thanks!

Christian Marschalek writes:

well i ment over apache (with php) to a database :o)

Apache encrypts the connection to the web user, PostgreSQL encrypts the
connection to the database user, which in this case would be Apache.
I.e.:

Web user ---SSL---> Apache ---SSL---> PostgreSQL

Typically, in these setups, the Apache to PostgreSQL connection is over a
trusted wire, such as a Unix domain socket, local loopback, or LAN, so SSL
won't be necessary. But if you run a database (not web) connection over
the Internet then you might care.

-----Original Message-----
From: Peter Eisentraut [mailto:peter_e@gmx.net]
Sent: Friday, March 16, 2001 6:19 PM
To: Christian Marschalek
Cc: [GENERAL] PostgreSQL
Subject: RE: [GENERAL] ssl connections with psql

Christian Marschalek writes:

May I ask what the difference between apache compiled with ssl and
postgresql with ssl is? if there's any...

Apache serves encrypted HTTP connections, PostgreSQL serves encrypted
database connections.

--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/

--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/

Peter Eisentraut wrote:

Christian Marschalek writes:

well i ment over apache (with php) to a database :o)

Apache encrypts the connection to the web user, PostgreSQL encrypts the
connection to the database user, which in this case would be Apache.
I.e.:
Web user ---SSL---> Apache ---SSL---> PostgreSQL
Typically, in these setups, the Apache to PostgreSQL connection is over a
trusted wire, such as a Unix domain socket, local loopback, or LAN, so SSL
won't be necessary. But if you run a database (not web) connection over
the Internet then you might care.

For those reading this and assuming that using SSL is always a good thing,
SSL data connections are up to 100 times slower, as all of the data has
to be encrypted and decrypted by the server and the client. Running SSL
connections to the same server you're hosting the web pages on would be
a fairly interesting way of shooting yourself in the foot, but not useful
for much else.

-Ronabop

--2D426F70|759328624|00101101010000100110111101110000
Personal: ron@opus1.com, 520-326-6109, http://www.opus1.com/ron/
Work: rchmara@pnsinc.com, 520-546-8993, http://www.pnsinc.com/
The opinions expressed in this email are not necessarily those of myself,
my employers, or any of the other little voices in my head.

For those reading this and assuming that using SSL is always a good thing,
SSL data connections are up to 100 times slower, as all of the data has
to be encrypted and decrypted by the server and the client. Running SSL
connections to the same server you're hosting the web pages on would be
a fairly interesting way of shooting yourself in the foot, but not useful
for much else.

I'm not assuming SSL is always a good thing, but sometimes security is more
important than speed, and in this case SSL does excatly what it should :o)