- Newest
- Most votes
- Most comments
Hi,
I think the following StackOverflow page answers your question.
The server can force the client to use ssl to establish the connection, but it cannot force the client to verify the server's certificate. If your client is libpq based, then it will verify the certificate if and only if it can find the root certificate file (generally at ~/.postgresql/root.crt, if not specified as something else). If you specify PGSSLMODE=verify-ca or above on the client, then the client will throw an error if can't find the root cert file. If the sslmode is below that level and the client can't find the root cert file, then it will use the server's certificate to negotiate encryption, but will not use it to verify the identity of the server. So you get protection from passive eavesdropping, but not from active MITM attacks.
psql has SSL connections enabled by default.
So to prevent SSL connections from being made, try setting an environment variable as follows.
This would allow us to test if the connection fails if SSL connection is not used since it would be a non-SSL connection.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/ssl-certificate-rotation-aurora-postgresql.html#ssl-certificate-rotation-aurora-postgresql.determining-client
$ PGSSLMODE=disable \
psql -h $HOST "dbname=dbname user=username"
Relevant content
- asked a year ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago