Greetings,
We really prefer it if you don't top-post on these lists but instead
reply in-line, as I did.
* Susan Joseph (sandajoseph@verizon.net) wrote:
> This is great, thanks. I have not heard of verify-full but I will try that and let you know if I have issues.
> So I will remove the passfile info for recovery.conf. It was there because I first set it up using passwords to make
sureit was working and then moved to SSL so if not needed I can remove it.
> So if I don't put clientcert=1 do I just leave it at cert or should it be set to something else?
Leaving it as 'cert' should be sufficient. The clientcert option is
really intended to be used with the *other* auth methods, to provide a
"check the password *and* the client certificate" option.
> I will try and drop the other connection lines in the pg_hba.conf but I thought the last time I did that it through
anerror. Let me try it again and see if it works.
If that results in an error then it's possible you have an error in your
configuration and you aren't actually using SSL for this connection.
> So are you saying that "sslmode=verify-ca" doesn't actually verify that the certificate is from a CA it trusts?
verify-ca checks that the certificate is from a trusted CA, but it does
*not* make sure that the common name in that certificate matches the
name of the system that is being connected to.
In other words, if you configure your secondary to connect to
'server-a.mydomain.com', but the certificate installed on the server has
a common name (CN) of 'server-x.mydomain.com', the connection will still
be allowed, as long as the certificate is signed by a trusted CA.
That's not good.
> So my big question is: am I really adding more security by turning on SSL or is it just more work for the DBA?
I'm not sure if this is a serious question or not. If you want to
mitigate attack vectors which arise from data-in-transit then you
absolutely need to be using strong authentication and encryption when
connecting. If your profile is such that you're not concerned about
network-based attack vectors, then perhaps it's not needed.
Thanks,
Stephen