I will need to enforce ssl/tls in my production environment so I thought
I would try setting things up on localhost to see how that went.
Then I noticed that my successful connections from
"/usr/lib/postgresql/12/bin/psql -U postgres -h localhost -P pager=off
postgres" report:
psql (12.5 (Ubuntu 12.5-0ubuntu0.20.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384,
bits: 256, compression: off)
Type "help" for help.
though my pg_hba.conf does not specify SSL at all
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS
METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all 127.0.1.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
So to the questions:
1. Am I already getting encrypted connections and if so, how?
2. In production I hope to name the role with each connection as I want
the search_path set by the connecting role. Will I need a cert per role
with CN=<rolename>?