On Tue, Jun 9, 2015 at 10:55 PM, Michael Paquier <michael.paqu...@gmail.com> wrote:
> On Tue, Jun 9, 2015 at 3:27 PM, Magnus Hagander <mag...@hagander.net> > wrote: > > > > On Jun 9, 2015 6:00 AM, "Michael Paquier" <michael.paqu...@gmail.com> > wrote: > >> > >> Hi all, > >> > >> I should have noticed that before, but it happens that pg_stat_ssl > >> leaks information about the SSL status of all the users connected to a > >> server. Let's imagine for example: > >> 1) Session 1 connected through SSL with a superuser: > >> =# create role toto login; > >> CREATE ROLE > >> =# select * from pg_stat_ssl; > >> pid | ssl | version | cipher | bits | > >> compression | clientdn > >> > >> > -------+-----+---------+-----------------------------+------+-------------+---------- > >> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t > >> | > >> (1 row) > >> 2) New session 2 with previously created user: > >> => select * from pg_stat_ssl; > >> pid | ssl | version | cipher | bits | > >> compression | clientdn > >> > >> > -------+-----+---------+-----------------------------+------+-------------+---------- > >> 33348 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t > >> | > >> 33367 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | t > >> | > >> (2 rows) > >> > >> Attached is a patch to mask those values to users that should not have > >> access to it, similarly to the other fields of pg_stat_activity. > > > > I don't have the thread around right now (on phone), but didn't we > discuss > > this back around the original submission and decide that this was wanted > > behavior? > > Looking back at this thread, it is mentioned here: > http://www.postgresql.org/message-id/31891.1405175...@sss.pgh.pa.us AIUI that one was just about the DN field, and not about the rest. If I understand you correctly, you are referring to the whole thing, not just one field? > What actual sensitive data is leaked? If knowing the cipher type makes it > > easier to hack you have a broken cipher, don't you? > > I am just wondering if it is a good idea to let other users know the > origin of a connection to all the users. Let's imagine the case where > for example the same user name is used for non-SSL and SSL sessions. > This could give a hint of the activity on the server.. > > However, feel free to ignore those concerns if you think the current > situation is fine... > Well, I do think the current one is OK, but I don't want to ignore the comment anyway :) Happy to hear comments from others as well. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
