Verifying PostgreSQL Certficates

Hello,

I have been wondering if the resource object returned from a
pg_connect() or pg_pconnect() call can be parsed for certain
information. Specifically, I'm wondering if it contains information
about the certificate and public key submitted by PostgreSQL when SSL is
enabled. I've looked at pg_parameter_status(), but it doesn't seem to
get the information I need. Ultimately, I would like to compare the
signature on a certificate to a trusted certificate authority to
determine the trustworthiness of the certificate.

Thanks much in advance.

--Angus Atkins-Trimnell

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Verifying PostgreSQL Certficates

Angus B. Atkins-Trimnell wrote:
> Hello,
>
> I have been wondering if the resource object returned from a
> pg_connect() or pg_pconnect() call can be parsed for certain
> information. Specifically, I'm wondering if it contains information
> about the certificate and public key submitted by PostgreSQL when SSL is
> enabled. I've looked at pg_parameter_status(), but it doesn't seem to
> get the information I need. Ultimately, I would like to compare the
> signature on a certificate to a trusted certificate authority to
> determine the trustworthiness of the certificate.

AFAIK you don't have to do this, postgres does it automatically when you
connect.

Probably best asking the postgres-general list
(http://www.postgresql.org/community/lists/) this instead of on a php
list, as postgres would need to support it before php could access that
info (and I don't know if it can tell you this info).

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [Bulk] Re: [PHP-DB] Verifying PostgreSQL Certficates

Chris wrote:
> Angus B. Atkins-Trimnell wrote:
>> Hello,
>>
>> I have been wondering if the resource object returned from a
>> pg_connect() or pg_pconnect() call can be parsed for certain
>> information. Specifically, I'm wondering if it contains information
>> about the certificate and public key submitted by PostgreSQL when SSL
>> is enabled. I've looked at pg_parameter_status(), but it doesn't
>> seem to get the information I need. Ultimately, I would like to
>> compare the signature on a certificate to a trusted certificate
>> authority to determine the trustworthiness of the certificate.
>
> AFAIK you don't have to do this, postgres does it automatically when
> you connect.
>
> Probably best asking the postgres-general list
> (http://www.postgresql.org/community/lists/) this instead of on a php
> list, as postgres would need to support it before php could access
> that info (and I don't know if it can tell you this info).
>
Well, it may be that I have it wrong. I know that the PostgreSQL server
is checking the certificate supplied by the PostgreSQL client against
the trusted CAs in root.crt; however, I am concerned that the
application, which is written in PHP, is still vulnerable to a
man-in-the-middle attack, wherein the attacker would intercept the
connection request and impersonate the PostgreSQL server, submitting its
own certificate in place of the servers.

I will try sending this to the PostgreSQL list, but if anyone has any
idea whether PHP sees the certificate information, which it would
receive, I assume through the libpq library, please let me know.

Thanks.

--Angus

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php