[Babase] Re: Ranker security problems
Karl O. Pinc
kop at meme.com
Fri Aug 24 03:24:34 EDT 2007
On 08/23/2007 10:20:22 PM, Jun Yang wrote:
> On 8/20/07, Karl O. Pinc <kop at meme.com> wrote:
> >
> > Jun,
> >
> > I believe that the ranker program is not attemping
> > to establish an SSL connection. Either the PQconnectdb()
> > call is not passing the right 'sslmode' parameter keyword
> > ("prefer" would be best, in the db server I ensure that
> > connections going through the VPN are not double-encrypted
> > with libpq's SSL as well) or the libpq was not compiled with
> > SSL support. See:
> >
> > http://www.postgresql.org/docs/8.1/static/libpq.html#LIBPQ-CONNECT
> >
> > I'm pretty sure that at one point when Tyler was directly
> > connecting to papio, before we tried the VPN, the ranker
> > was connecting with SSL enabled.
>
> I make the fix this weekend, but before I proceed I'd like to
> understand exactly where the problem is. I just tried JDBC
> connection from a Java application running on papio,
> and it was able to connect to the database server without specifying
> any ssl property during connection. So just to make sure: ssl is
> needed only when connecting from biology.duke.edu machine
> (thus without vpn) other than papio itself, right?
Yes.
Connections from papio, via Unix socket or 127.0.0.1 are not
allowed to use SSL (lest they be horribly inefficent.)
Likewise connections using the VPN, via 172.16.3.0/24, are
not allowed to use SSL.
All connections via papio.biology.duke.edu (152.3.13.55/32)
must use SSL. (However the Duke firewall, somewhere, prevents
users from outside of Duke's network from connecting at all.
Hence the VPN.)
I tested by connecting to 512.3.13.55 while on papio and
found an SSL connection was required. (As per my pg config.)
Karl <kop at meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
More information about the Babase
mailing list