48

I have configured ssl = on in postgresql.conf (and installed a certificate etcetera). Does this ensure that all clients will always connect over SSL?

(I.e. does ssl = on it make it impossible to connect without SSL encryption?)

Are there other ways to ensure that all clients always connect over SSL/TLS?

Mark Amery
  • 1,106
  • 3
  • 14
  • 24
KajMagnus
  • 1,249
  • 2
  • 14
  • 21

4 Answers4

46

ssl = on only enables the possibility of using SSL.

To ensure that all clients are using SSL, add hostssl lines in pg_hba.conf, e.g.,

hostssl  all  all  0.0.0.0/0  md5

and remove all host lines. (Well, maybe keep the ones for localhost.)

If the desire is to force the client to send a certificate, then md5 has to be changed to cert. e.g.,

hostssl  all  all  0.0.0.0/0  cert
Andrew T Finnell
  • 103
  • 3
Peter Eisentraut
  • 10,723
  • 1
  • 35
  • 35
14

No, that simply enables the use of SSL. You need to also make the appropriate changes to your pg_hga.conf file.

gsiems
  • 3,413
  • 2
  • 23
  • 26
1

Just FYI, Try to avoid making connections without passwords. One of the strongest choices would be ssl (verify-full mode) + password authentication (encrypted with scram-sha-256).

Your pg_hba.conf could be like:

hostssl  all  all  0.0.0.0/0  scram-sha-256 clientcert=verify-full
postgresnewbie
  • 127
  • 9
0

The server can make sure clients connecting to it use TLS. This is done by using the hostssl connection type instead of host in the pg_hba.conf file.

However, this does not prevent man-in-the-middle (MITM) attacks because PostgreSQL clients by default use sslmode=prefer which means opportunistic encryption. In this mode, a client does not validate the server certificate. It does not even use encryption if the server it connects to (which may be a MITM) does not offer TLS. Therefore it only prevents passive wiretapping, but not active attacks.

To really enforce secure connections, you have to make sure your clients use sslmode=verify-full. Another way would be the use of certificate authentication by setting the auth-method to cert in your pg_hba.conf file which makes sure the client connecting to the server is a known client and not a MITM. Using certificate authentication, a client connecting to a MITM may still send some login credentials to the MITM, but it won’t be possible to use those to connect to the real server.

Martin
  • 101
  • 1