Search Postgresql Archives

Re: ssl connections to postgresql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Fri, July 27, 2007 04:20, Albe Laurenz wrote:
>
> This is more a philosophical question.
>
> If you only allow hostssl connections in pg_hba.conf AND forbid
> all host connections (with one last 'reject' line), PostgreSQL
> will reject all connections that are not via SSL.
>
> If your "security compliance team" does not trust PostgreSQL to
> enforce that, they'll probably have a very bad feeling about PostgreSQL
> in general - why then should they trust a log entry that PostgreSQL
> writes?
>

Because configuration files can be expected to be modified over time and
having an explicit log entry tells one what modes were in effect for a
specific connection at the time, whatever the configuration file says now.

It is not confidence in the software but in the diligence of the system
administrator (me) that is at question for the audit team.  In any case, I
personally like these sort of direct confidence log entries.  I feel that
it makes for easier configuration changes as often you quickly can see the
consequence when you have done something stupid.

I think that if the maintainers decide it worth doing at all, and I simply
do not have the time to bring myself up to speed on the code base of a
project the size of postgresql to do it myself, then such a feature would
be best added as a new special value (%e) option for log_line_prefix.

   #   %e = connection encryption strength (none/ssl-256/ssl-512 etc.)

Which again raises a question that I posed earlier: Is there any benefit
to increasing the key size for a host connection from 256 and, if so, how
is this done?

Regards,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
       subscribe-nomail command to majordomo@xxxxxxxxxxxxxx so that your
       message can get through to the mailing list cleanly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux