Home > mailing lists

Re: BUG #4340: SECURITY: Is SSL Doing Anything? - Mailing list pgsql-bugs

From	Magnus Hagander
Subject	Re: BUG #4340: SECURITY: Is SSL Doing Anything?
Date	August 19, 2008 16:01:47
Msg-id	48AB1890.8020304@hagander.net Whole thread Raw
In response to	Re: BUG #4340: SECURITY: Is SSL Doing Anything? (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-bugs

Tree view

Tom Lane wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> (I don't believe OpenSSL does this verification either, because AFAICS
>> OpenSSL only ever sees the IP address of the server, and not the FQDN)
>
> In common usages libpq doesn't have the FQDN of the server either.
> To impose such a requirement, we'd have to forbid naming the server
> by IP address or via a domain-search-path abbreviation.

You could issue a certificate to an IP address, so you could match the
textual representation of the IP in that case.

Or you could require the FQDN for a SSL connection when this
verification is enabled. A similar restriction already exists for
Kerberos, for example.

//Magnus

pgsql-bugs by date:

From: Tom Lane
Date: 19 August 2008, 15:58:14
Subject: Re: BUG #4340: SECURITY: Is SSL Doing Anything?

From: Magnus Hagander
Date: 19 August 2008, 16:28:57
Subject: Re: BUG #4340: SECURITY: Is SSL Doing Anything?

Previous

Next