"Mike Rylander" <[EMAIL PROTECTED]> writes:
> On Dec 22, 2007 1:04 PM, Tom Lane <[EMAIL PROTECTED]> wrote:
>> Hmm ... we've always thought of SSL as being primarily comm security
>> and thus useless on a Unix socket, but the mutual authentication aspect
>> could come in handy as an answer for this type of threat. Anyone want
>> to try this and see if it really works or not?
>>
>> Does OpenSSL have a mode where it only does mutual auth and not
>> encryption?
> [EMAIL PROTECTED]:~$ openssl ciphers -v 'NULL'
Cool. I took a quick look through the code, and I think that a smoke
test could be made just by diking out these lines in
src/interfaces/libpq/fe-connect.c:
if (IS_AF_UNIX(conn->raddr.addr.ss_family))
{
/* Don't bother requesting SSL over a Unix socket */
conn->allow_ssl_try = false;
}
Actual support would require rather more effort --- for instance,
I doubt that the default behavior should be to try to do SSL over a
socket, so "sslmode" would need some extension, and we'd want to extend
the pg_hba.conf keywords --- but I think this would be enough to allow
verifying whether it will work.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
