"Mike Rylander" <[EMAIL PROTECTED]> writes: > On Dec 22, 2007 1:04 PM, Tom Lane <[EMAIL PROTECTED]> wrote: >> Hmm ... we've always thought of SSL as being primarily comm security >> and thus useless on a Unix socket, but the mutual authentication aspect >> could come in handy as an answer for this type of threat. Anyone want >> to try this and see if it really works or not? >> >> Does OpenSSL have a mode where it only does mutual auth and not >> encryption?
> [EMAIL PROTECTED]:~$ openssl ciphers -v 'NULL' Cool. I took a quick look through the code, and I think that a smoke test could be made just by diking out these lines in src/interfaces/libpq/fe-connect.c: if (IS_AF_UNIX(conn->raddr.addr.ss_family)) { /* Don't bother requesting SSL over a Unix socket */ conn->allow_ssl_try = false; } Actual support would require rather more effort --- for instance, I doubt that the default behavior should be to try to do SSL over a socket, so "sslmode" would need some extension, and we'd want to extend the pg_hba.conf keywords --- but I think this would be enough to allow verifying whether it will work. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings