Hi, there. Firstly, as this is my first post on a PgSQL ML, I hope this ML is the good one for my question. I'm trying to secure further some PgSQL servers and am reading documentation about libpq sslmode option. I have a question about that: as I understand the internals of this option, the difference between verify-ca and verify-full is that, for verify-full, client will compare the hostname the server gave and the one in the SSL certificate, and will give up if these two values differ. Am I right up to now? If I'm right, I feel like the extra security of verify-full compared to verify-ca is merely a smoke screen because, as far as I know, nothing prevents a crafted server to read the certificate's hostname and give this one as its own, and the libpq shouldn't show a better MitM protection with verify-full than with verify-ca. If I'm wrong, where am I wrong? How does libpq verify the server's name? Reverse DNS? Other mean? Hoping someone can enlighten me about this, Regards. -- David Guyot Administrateur système, réseau et télécom / Sysadmin Europe Camions Interactive / Stockway Moulin Collot F-88500 Ambacourt 03 29 30 47 85
Attachment:
signature.asc
Description: This is a digitally signed message part
