readme.ssl
来自「PostgreSQL7.4.6 for Linux」· SSL 代码 · 共 484 行 · 第 1/2 页
SSL
484 行
>From the servers perspective: Receives StartupPacket | | (Is SSL_NEGOTIATE_CODE?) ----------- Normal startup | No | | Yes | | (Server compiled with USE_SSL?) ------- Send 'N' | No | | | | Yes Normal startup | | Send 'S' | | Establish SSL | | Normal startup >From the clients perspective (v6.6 client _with_ SSL): Connect | | Send packet with SSL_NEGOTIATE_CODE | | Receive single char ------- 'S' -------- Establish SSL | | | '<else>' | | Normal startup | | Is it 'E' for error ------------------- Retry connection | Yes without SSL | No | Is it 'N' for normal ------------------- Normal startup | Yes | Fail with unknown--------------------------------------------------------------------------- COMMENTS FROM BEAR GILESOn a related note, I had mentioned this before but it's a subtle point and I'm sure that it's slipped everyone's mind... - if you need to have confidence in the identity of the database server, e.g., you're storing sensitive information and you absolutely must prevent any "man in the middle" attacks, use the SSL code I provided with server-side certs. To many users, the key issue is not whether the data is encrypted, it's whether the other party can be trusted to be who they claim to be.- if you just need confidentiality, but you don't need to verify the identity of the database server (e.g., because you trust the IP address,but worry about packet sniffers), SSH tunnels are much easier to set up and maintain than the embedded SSL code. You can set up the database server so it doesn't require a certificate (hell, you can hard code a fallback certificate into the server!), *but that violates the common practice of SSL-enabled servers.* I cannot overemphasize this - every other SSL-enabled server requires a certificate, and most provide installation scripts to create a "snake oil" temporary certificate. I can't think of any server (apache+mod_ssl, courier-imap, postfix(+tls),etc.) that uses anonymous servers.- if you don't need confidentiality, e.g., you're on a trusted network segment, then use direct access to the server port.--------------------------------------------------------------------------- EMAIL ABOUT DOCUMENTATIONFrom: Bear Giles <bgiles@coyotesong.com>Subject: [HACKERS] 2nd cut at SSL documentationTo: pgsql-hackers@postgresql.orgDate: Tue, 21 May 2002 14:27:00 -0600 (MDT)A second cut at SSL documentation....SSL Support in PostgreSQL=========================Who needs it?=============The sites that require SSL fall into one (or more) of several broadcategories.*) They have insecure networks. Examples of insecure networks are anyone in a "corporate hotel," any network with 802.11b wireless access points (WAP) (in 2002, this protocol has many well-known security weaknesses and even 'gold' connections can be broken within 8 hours), or anyone accessing their database over the internet. These sites need a Virtual Private Network (VPN), and either SSH tunnels or direct SSL connections can be used.*) They are storing extremely sensitive information. An example of extremely sensitive information is logs from network intrusion detection systems. This information *must* be fully encrypted between front- and back-end since an attacker is presumably sniffing all traffic within the VPN, and if they learn that you know what they are doing they may attempt to cover their tracks with a quick 'rm -rf /' and 'dropdb' In the extreme case, the contents of the database itself may be encrypted with either the crypt package (which provides symmetrical encryption of the records) or the PKIX package (which provides public-key encryption of the records).*) They are storing information which is considered confidential by custom, law or regulation. This includes all records held by your doctor, lawyer, accountant, etc. In these cases, the motivation for using encryption is not a conscious evaulation of risk, but the fear of liability for 'failure to perform due diligence' if encryption is available but unused and an attacker gains unauthorized access to the harm of others.*) They have 'road warriors.' This includes all sites where people need to have direct access to the database (not through a proxy such as a secure web page) from changing remote addresses. Client certificates provide a clean way to grant this access without opening up the database to the world.Who does not need it?---------------------It's at least as important to know who does not need SSL as itis to know who does. Sites that do not need SSL fall into severalbroad categories.*) Access is limited to the Unix socket.*) Access is limited to a physically secure network. "Physically secure" networks are common in the clusters and colocation sites - all database traffic is restricted to dedicated NIC cards and hubs, and all servers and cabling are maintained in locked cabinets.Using SSH/OpenSSH as a Virtual Private Network (VPN)====================================================SSH and OpenSSH can be used to construct a Virtual Private Network(VPN) to provide confidentiality of PostgreSQL communications. These tunnels are widely available and fairly well understood, but do not provide any application-level authentication information.To set up a SSH/OpenSSH tunnel, a shell account for eachuser should be set up on the database server. It is acceptablefor the shell program to be bogus (e.g., /bin/false), if thetunnel is set up in to avoid launching a remote shell.On each client system the $HOME/.ssh/config file should containan additional line similiar to LocalForward 5555 psql.example.com:5432(replacing psql.example.com with the name of your database server).By putting this line in the configuration file, instead of specifyingit on the command line, the tunnel will be created whenever a connection is made to the remote system.The psql(1) client (or any client) should be wrapped with a scriptthat establishes an SSH tunnel when the program is launched: #!/bin/sh HOST=psql.example.com IDENTITY=$HOME/.ssh/identity.psql /usr/bin/ssh -1 -i $IDENTITY -n $HOST 'sleep 60' & \ /usr/bin/psql -h $HOST -p 5555 $1Alternately, the system could run a daemon that establishes and maintainsthe tunnel. This is preferrable when multiple users need to establishsimilar tunnels to the same remote site.Unfortunately, there are many potential drawbacks to SSL tunnels:*) the SSH implementation or protocol may be flawed. Serious problems are discovered about once every 18- to 24- months.*) the systems may be misconfigured by accident.*) the database server must provide shell accounts for all users needing access. This can be a chore to maintain, esp. in if all other user access should be denied.*) neither the front- or back-end can determine the level of encryption provided by the SSH tunnel - or even whether an SSH tunnel is in use. This prevents security-aware clients from refusing any connection with unacceptly weak encryption.*) neither the front- or back-end can get any authentication information pertaining to the SSH tunnel.Bottom line: if you just need a VPN, SSH tunnels are a good solution.But if you explicitly need a secure connection they're inadequate.Direct SSL Support==================Insecure Channel: ANONYMOUS DH Server-------------------------------------"ANONYMOUS DH" is the most basic SSL implementation. It doesnot require a server certificate, but it is vulnerable to"man-in-the-middle" attacks.The PostgreSQL backend does not support ANONYMOUS DH sessions.Secure Channel: Server Authentication-------------------------------------Server Authentication requires that the server authenticate itself⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?