On Wed, Apr 6, 2011 at 6:18 PM, Adrian Klaver <adrian.klaver@xxxxxxxxx> wrote: > On Wednesday, April 06, 2011 5:21:23 pm Yang Zhang wrote: > >> On Wed, Apr 6, 2011 at 4:57 PM, Scott Marlowe <scott.marlowe@xxxxxxxxx> >> wrote: > >> > On Wed, Apr 6, 2011 at 5:24 PM, Yang Zhang <yanghatespam@xxxxxxxxx> >> > wrote: > >> >> On Wed, Apr 6, 2011 at 4:22 PM, Adrian Klaver <adrian.klaver@xxxxxxxxx> >> >> wrote: > >> >>> On Wednesday, April 06, 2011 4:06:40 pm Yang Zhang wrote: > >> >>>> How do I prevent accidental non-SSL connections (at least to specific > >> >>>> hosts) when connecting via psql? Is there any configuration for this? > >> >>>> Thanks. > >> >>> > >> >>> http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html > >> >>> hostssl > >> >>> http://www.postgresql.org/docs/9.0/interactive/libpq-connect.html > >> >>> sslmode > >> >> > >> >> I'm aware of sslmode and hostssl - the threat model I'm asking about > >> >> is the client getting MITM'd because the user forgets to specify `psql > >> >> sslmode=verify-full`. > >> > > >> > As long as you only have hostssl entries for connections the users > >> > can't connect without ssl. > >> > >> hostssl is a server-side policy; I'm interested in setting up my > >> client with mandatory server authentication. > > http://www.postgresql.org/docs/9.0/interactive/libpq-envars.html > > PGSSLMODE behaves the same as the sslmode connection parameter. > > Now you have both ends and the middle:) Thanks, exactly what I was looking for. -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
