Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Spoofing as the postmaster
- From: "Mike Rylander" <mrylander(at)gmail(dot)com>
- To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
- Cc: "Peter Eisentraut" <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, "Bruce Momjian" <bruce(at)momjian(dot)us>, "Tomasz Ostrowski" <tometzky(at)batory(dot)org(dot)pl>
- Subject: Re: Spoofing as the postmaster
- Date: Sat, 22 Dec 2007 13:51:39 -0500
On Dec 22, 2007 1:04 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote: > Peter Eisentraut <peter_e(at)gmx(dot)net> writes: > > Wouldn't SSL work over Unix-domain sockets as well? The API only deals with > > file descriptors. > > Hmm ... we've always thought of SSL as being primarily comm security > and thus useless on a Unix socket, but the mutual authentication aspect > could come in handy as an answer for this type of threat. Anyone want > to try this and see if it really works or not? > > Does OpenSSL have a mode where it only does mutual auth and not > encryption? The encryption would be wasted cycles in this scenario, > so being able to turn it off would be nice. > miker(at)whirly:~$ openssl ciphers -v 'NULL' NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 I see no way to turn off the message digest, but maybe that's just an added benefit. --miker
- Follow-Ups:
- Re: Spoofing as the postmaster
- From: Bruce Momjian
- Re: Spoofing as the postmaster
- From: Tom Lane
- Re: Spoofing as the postmaster
- References:
- Spoofing as the postmaster
- From: Bruce Momjian
- Re: Spoofing as the postmaster
- From: Peter Eisentraut
- Re: Spoofing as the postmaster
- From: Tom Lane
- Spoofing as the postmaster
- Prev by Date: Re: Spoofing as the postmaster
- Next by Date: Re: Spoofing as the postmaster
- Previous by thread: Re: Spoofing as the postmaster
- Next by thread: Re: Spoofing as the postmaster
- Indexes: