Re: localhost ssl

Поиск
Список
Период
Сортировка
От Adrian Klaver
Тема Re: localhost ssl
Дата
Msg-id 1ca17e3b-14de-69ff-5f0b-4082376571ca@aklaver.com
обсуждение исходный текст
Ответ на localhost ssl  (Rob Sargent <robjsargent@gmail.com>)
Ответы Re: localhost ssl  (Rob Sargent <robjsargent@gmail.com>)
Список pgsql-general
Дерево обсуждения 
On 1/22/21 11:04 AM, Rob Sargent wrote:
> 
> I will need to enforce ssl/tls in my production environment so I thought 
> I would try setting things up on localhost to see how that went.
> 
> Then I noticed that my successful connections from 
> "/usr/lib/postgresql/12/bin/psql -U postgres -h localhost -P pager=off 
> postgres" report:
> 
>    psql (12.5 (Ubuntu 12.5-0ubuntu0.20.04.1))
>    SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, 
> bits: 256, compression: off)
>    Type "help" for help.
> 
> though my pg_hba.conf does not specify SSL at all

Yes it does(implied):

https://www.postgresql.org/docs/12/auth-pg-hba-conf.html

"host

     This record matches connection attempts made using TCP/IP. host 
records match SSL or non-SSL connection attempts as well as GSSAPI 
encrypted or non-GSSAPI encrypted connection attempts."

Also I'm guessing you have ssl = on in postgresql.conf and server cert 
setup.

If you want to enforce SSL then:

"
hostssl

     This record matches connection attempts made using TCP/IP, but only 
when the connection is made with SSL encryption.

     To make use of this option the server must be built with SSL 
support. Furthermore, SSL must be enabled by setting the ssl 
configuration parameter (see Section 18.9 for more information). 
Otherwise, the hostssl record is ignored except for logging a warning 
that it cannot match any connections.
"

Read below for more information:

https://www.postgresql.org/docs/12/ssl-tcp.html


> 
>    # Database administrative login by Unix domain socket
> 
>    local   all             postgres                                peer
> 
> 
>    # TYPE  DATABASE        USER            ADDRESS METHOD
> 
>    # "local" is for Unix domain socket connections only
> 
>    local   all             all                                     peer
> 
>    # IPv4 local connections:
> 
>    host    all             all             127.0.0.1/32            md5
> 
>    host    all             all             127.0.1.1/32            md5
> 
>    # IPv6 local connections:
> 
>    host    all             all             ::1/128                 md5
> 
> 
> So to the questions:
> 1. Am I already getting encrypted connections and if so, how?
> 2. In production I hope to name the role with each connection as I want 
> the search_path set by the connecting role.  Will I need a cert per role 
> with CN=<rolename>?
> 
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com

В списке pgsql-general по дате отправления:

Предыдущее
От: Rob Sargent
Дата:
Сообщение: localhost ssl
Следующее
От: Rob Sargent
Дата:
Сообщение: Re: localhost ssl