Home > mailing lists

Re: [pgsql-hackers-win32] More SSL questions.. - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: [pgsql-hackers-win32] More SSL questions..
Date	January 5, 2005 22:37:42
Msg-id	1755.1104964583@sss.pgh.pa.us Whole thread Raw
In response to	Re: [pgsql-hackers-win32] More SSL questions.. (Oliver Jowett <oliver@opencloud.com>)
Responses	Re: [pgsql-hackers-win32] More SSL questions..
List	pgsql-bugs

Tree view

Oliver Jowett <oliver@opencloud.com> writes:
> Tom Lane wrote:
>> I'm not sure if this is desirable.  Should libpq try to fall back to a
>> non-SSL-encrypted connection, instead?

> Only if the server certificate validates, otherwise an active attacker
> could intercept the SSL connection to force libpq to fall back to
> non-SSL and then intercept the unencrypted/unauthenticated connection.

The problem case is where there are no SSL support files, and so the client
isn't going to be able to validate the server cert anyway.  So the above
doesn't seem real helpful...

Basically my point here is that the default "prefer" SSL mode
effectively becomes "require" if the server has a root.crt.

            regards, tom lane

pgsql-bugs by date:

From: Bruce Momjian
Date: 05 January 2005, 22:26:57
Subject: Re: More SSL questions..

From: Oliver Jowett
Date: 05 January 2005, 23:03:53
Subject: Re: [pgsql-hackers-win32] More SSL questions..

Re: [pgsql-hackers-win32] More SSL questions.. - Mailing list pgsql-bugs

Previous

Next