Nathan Aherne wrote:
> We would like to use SSL to secure data transmission between our app server and postgres server as
> they are both on the public internet. We cannot use SSH tunnels as our infrastructure doesn’t allow
> it. Using client SSL keys poses a number of structural issues for us as well.
>
> Instead we would like to use MD5 Username/Password to authenticate to Postgres while having postgres
> encrypt the data transfer via SSL (forced). Is this possible? If so:
Yes, this is possible, we do it all the time.
> 1. are there any issues with doing things this way?
> 2. we have configured pg_hba.conf with hostssl and md5 clientcert=0 but cannot seem to get the correct
> connection string combination. Could someone point me in the correct direction.
There is no option "clientcert=0" for the md5 authentication method.
Just remove that and everything should work fine.
What client do you use to connect?
If you connect with libpq, you can add "sslmode=require" to the connection string, but
this is not necessary, since "sslmode=prefer" is default, and that will try SSL first.
Yours,
Laurenz Albe