Re: [Bulk] Re: [PHP-DB] Verifying PostgreSQL Certficates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Chris wrote:
Angus B. Atkins-Trimnell wrote:
Hello,

I have been wondering if the resource object returned from a pg_connect() or pg_pconnect() call can be parsed for certain information. Specifically, I'm wondering if it contains information about the certificate and public key submitted by PostgreSQL when SSL is enabled. I've looked at pg_parameter_status(), but it doesn't seem to get the information I need. Ultimately, I would like to compare the signature on a certificate to a trusted certificate authority to determine the trustworthiness of the certificate.

AFAIK you don't have to do this, postgres does it automatically when you connect.

Probably best asking the postgres-general list (http://www.postgresql.org/community/lists/) this instead of on a php list, as postgres would need to support it before php could access that info (and I don't know if it can tell you this info).

Well, it may be that I have it wrong. I know that the PostgreSQL server is checking the certificate supplied by the PostgreSQL client against the trusted CAs in root.crt; however, I am concerned that the application, which is written in PHP, is still vulnerable to a man-in-the-middle attack, wherein the attacker would intercept the connection request and impersonate the PostgreSQL server, submitting its own certificate in place of the servers.

I will try sending this to the PostgreSQL list, but if anyone has any idea whether PHP sees the certificate information, which it would receive, I assume through the libpq library, please let me know.

Thanks.

--Angus

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux