Well, it may be that I have it wrong. I know that the PostgreSQL server
is checking the certificate supplied by the PostgreSQL client against
the trusted CAs in root.crt; however, I am concerned that the
application, which is written in PHP, is still vulnerable to a
man-in-the-middle attack, wherein the attacker would intercept the
connection request and impersonate the PostgreSQL server, submitting its
own certificate in place of the servers.
Angus B. Atkins-Trimnell wrote:
I have been wondering if the resource object returned from a
pg_connect() or pg_pconnect() call can be parsed for certain
information. Specifically, I'm wondering if it contains information
about the certificate and public key submitted by PostgreSQL when SSL
is enabled. I've looked at pg_parameter_status(), but it doesn't
seem to get the information I need. Ultimately, I would like to
compare the signature on a certificate to a trusted certificate
authority to determine the trustworthiness of the certificate.
AFAIK you don't have to do this, postgres does it automatically when
Probably best asking the postgres-general list
(http://www.postgresql.org/community/lists/) this instead of on a php
list, as postgres would need to support it before php could access
that info (and I don't know if it can tell you this info).
I will try sending this to the PostgreSQL list, but if anyone has any
idea whether PHP sees the certificate information, which it would
receive, I assume through the libpq library, please let me know.
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php