At 05:13 AM 7/25/2007, James B. Byrne wrote:
>I can connect from the httpd host to the postgresql host using psql and it
>shows that an ssl connection with a 256 bit key is in use. However, I
>would like to verify that the web app is also using ssl and I cannot seem
>to find any logging setting or other mechanism that will explicitly state
>that the connection made by this application is using ssl.
The way to verify it is to look at the traffic (e.g. use tcpdump or
ethereal or sniffer) and see what is actually happening.
Using SSL is good, but if the network between the database and
webserver is "fairly trusted/secured" in my opinion it is usually
much easier to break into the webserver remotely than sniff traffic
between a webserver and the database server remotely (unless you are
doing something seriously wrong ;) ). If the situation really calls
for SSL, you might as well use certs on both sides to prevent MITM attacks.
Because usually once you get onto the webserver, whatever the webapp
can do, you can do.
The other way to get unauthorized access to data, is to steal/copy
the database backup tapes, or work as a cleaner and stick strange
little devices between the keyboards and the computers and fetch the
passwords later.
Lastly if an attacker is in a position to sniff traffic between your
webserver and database server, you're in trouble already.
Regards,
Link.