At 05:13 AM 7/25/2007, James B. Byrne wrote:
I can connect from the httpd host to the postgresql host using psql and it shows that an ssl connection with a 256 bit key is in use. However, I would like to verify that the web app is also using ssl and I cannot seem to find any logging setting or other mechanism that will explicitly state that the connection made by this application is using ssl.
The way to verify it is to look at the traffic (e.g. use tcpdump or ethereal or sniffer) and see what is actually happening.
Using SSL is good, but if the network between the database and webserver is "fairly trusted/secured" in my opinion it is usually much easier to break into the webserver remotely than sniff traffic between a webserver and the database server remotely (unless you are doing something seriously wrong ;) ). If the situation really calls for SSL, you might as well use certs on both sides to prevent MITM attacks.
Because usually once you get onto the webserver, whatever the webapp can do, you can do.
The other way to get unauthorized access to data, is to steal/copy the database backup tapes, or work as a cleaner and stick strange little devices between the keyboards and the computers and fetch the passwords later.
Lastly if an attacker is in a position to sniff traffic between your webserver and database server, you're in trouble already.
Regards, Link. ---------------------------(end of broadcast)--------------------------- TIP 2: Don't 'kill -9' the postmaster
