Re: How to ensure that SSL is enabled?

On Mon, 2009-10-19 at 17:31 -0700, Eric Jain wrote:

I've appended ?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
to the connection URL, but (looking at the network traffic) no
encryption appears to be done. Shouldn't the connection fail if no SSL
connection can be established? It's possible that the server isn't set
up properly; is there a simple way to test that (e.g. verify that the
server was compiled with SSL support etc)?

It looks like on the JDBC side is mostly handled via custom SSLFactory classes. There's been discussion of making the "ssl" param take a string value, allowing more control over behaviour:

http://archives.free.net.ph/message/20070706.205109.cdd3ca05.en.html

... but I don't know if much ever came of it.

Personally, I handle this on the server side in pg_hba.conf . For Internet users (0.0.0.0/0 IP/mask), I use "hostssl" entries rather than simple "host" entries, so the pg_hba.conf entry only matches for SSL connections. If they're not using SSL, the server won't let them try password auth because there's no pg_hba.conf entry that'd permit them to do so.

eg:

    hostssl    somedatabase    all    0.0.0.0/0    md5

--
Craig Ringer