On Tue, Jan 27, 2015 at 2:29 PM, David Guyot <david.guyot@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi, there.
Firstly, as this is my first post on a PgSQL ML, I hope this ML is the
good one for my question.
I'm trying to secure further some PgSQL servers and am reading
documentation about libpq sslmode option. I have a question about that:
as I understand the internals of this option, the difference between
verify-ca and verify-full is that, for verify-full, client will compare
the hostname the server gave and the one in the SSL certificate, and
will give up if these two values differ. Am I right up to now?
Almost correct. It will compare the hostname that the client used (in the connection string) with the hostname in the SSL certificate, and give up if the two values differ.
The server does not give the client a hostname at any point (other than the CN of the certificate).
If I'm right, I feel like the extra security of verify-full compared to
verify-ca is merely a smoke screen because, as far as I know, nothing
prevents a crafted server to read the certificate's hostname and give
this one as its own, and the libpq shouldn't show a better MitM
protection with verify-full than with verify-ca. If I'm wrong, where am
I wrong? How does libpq verify the server's name? Reverse DNS? Other
mean?
libpq uses the hostname that you specify in the connection string (or in an environment variable, or however you end up specifying it).
