Lists: | pgsql-hackers |
---|
From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | log ssl mode with connections? |
Date: | 2007-01-30 16:28:42 |
Message-ID: | 45BF723A.6040907@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
I just turned on SSL for a test server and noticed that SSL mode isn't
logged with the connection. Should it be? It should be relatively simple
to add.
cheers
andrew
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: log ssl mode with connections? |
Date: | 2007-01-30 16:56:49 |
Message-ID: | 3243.1170176209@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> I just turned on SSL for a test server and noticed that SSL mode isn't
> logged with the connection. Should it be?
Why?
regards, tom lane
From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: log ssl mode with connections? |
Date: | 2007-01-30 17:10:31 |
Message-ID: | 45BF7C07.5000802@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Tom Lane wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
>
>> I just turned on SSL for a test server and noticed that SSL mode isn't
>> logged with the connection. Should it be?
>>
>
> Why?
>
>
>
If I am allowing both SSL and non-SSL I might like to know which is used
by a particular connection.
cheers
andrew
From: | Kris Jurka <books(at)ejurka(dot)com> |
---|---|
To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: log ssl mode with connections? |
Date: | 2007-01-30 17:35:01 |
Message-ID: | Pine.BSO.4.64.0701301232130.22818@leary2.csoft.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Tue, 30 Jan 2007, Andrew Dunstan wrote:
> If I am allowing both SSL and non-SSL I might like to know which is used by a
> particular connection.
>
Other places I've heard people ask for this info:
1) pg_stat_activity to see who's currently connected and how.
2) Via a function (boolean am_i_using_ssl()) so they can make security
decisions in views or procedural code.
Kris Jurka
From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Kris Jurka <books(at)ejurka(dot)com> |
Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: log ssl mode with connections? |
Date: | 2007-01-30 20:56:38 |
Message-ID: | 20070130205638.GC21930@svr2.hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Tue, Jan 30, 2007 at 12:35:01PM -0500, Kris Jurka wrote:
>
>
> On Tue, 30 Jan 2007, Andrew Dunstan wrote:
>
> >If I am allowing both SSL and non-SSL I might like to know which is used
> >by a particular connection.
> >
>
> Other places I've heard people ask for this info:
>
> 1) pg_stat_activity to see who's currently connected and how.
>
> 2) Via a function (boolean am_i_using_ssl()) so they can make security
> decisions in views or procedural code.
That information is available to the client in the form of the API call
PQgetssl(). It will return NULL if no SSL is in use, or something other
than NULL if it is (a SSL * pointer, but you don't need to know that if
you just want to know if you're on SSL or not).
IIRC it was originally disucssed to put it as a function callable, but
it was decided that it makes a lot more sense to provide it in the
client library. I don't know how many other client libraries provide the
SSL information stuff.
//Magnus
From: | "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Kris Jurka <books(at)ejurka(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: log ssl mode with connections? |
Date: | 2007-02-22 00:46:48 |
Message-ID: | DDE7D5A7-C1C9-45E9-87F9-5D00CACB5865@jpl.nasa.gov |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Anyone making those kind of decisions probably wants a generic
"connection is encrypted" flag. It could be true if a GSSAPI
connection has negotiated use of a security layer.
Of course I don't have my GSSAPI patches working as well as the SASL
ones were yet, and I haven't started on adding security layers yet
either.
On Jan 30, 2007, at 12:56 PM, Magnus Hagander wrote:
> On Tue, Jan 30, 2007 at 12:35:01PM -0500, Kris Jurka wrote:
>>
>>
>> On Tue, 30 Jan 2007, Andrew Dunstan wrote:
>>
>>> If I am allowing both SSL and non-SSL I might like to know which
>>> is used
>>> by a particular connection.
>>>
>>
>> Other places I've heard people ask for this info:
>>
>> 1) pg_stat_activity to see who's currently connected and how.
>>
>> 2) Via a function (boolean am_i_using_ssl()) so they can make
>> security
>> decisions in views or procedural code.
>
> That information is available to the client in the form of the API
> call
> PQgetssl(). It will return NULL if no SSL is in use, or something
> other
> than NULL if it is (a SSL * pointer, but you don't need to know
> that if
> you just want to know if you're on SSL or not).
> IIRC it was originally disucssed to put it as a function callable, but
> it was decided that it makes a lot more sense to provide it in the
> client library. I don't know how many other client libraries
> provide the
> SSL information stuff.
>
> //Magnus
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu