Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHTTa-007xsc-6i
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 19:17:42 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHTTX-005PEI-K0
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 19:17:40 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sHTTX-005PEA-9C
	for pgsql-general@lists.postgresql.org; Wed, 12 Jun 2024 19:17:40 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1sHTTV-0010GE-MM
	for pgsql-general@postgresql.org; Wed, 12 Jun 2024 19:17:38 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 45CJHXJC1514894;
	Wed, 12 Jun 2024 15:17:33 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Casey & Gina <cg@osss.net>
cc: pgsql-general@postgresql.org
Subject: Re: Question about UNIX socket connections and SSL
In-reply-to: <5EDB1F7F-569B-48B2-8DCD-44EE17D41F1A@osss.net>
References: <5EDB1F7F-569B-48B2-8DCD-44EE17D41F1A@osss.net>
Comments: In-reply-to Casey & Gina <cg@osss.net>
	message dated "Wed, 12 Jun 2024 10:34:56 -0500"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1514892.1718219853.1@sss.pgh.pa.us>
Date: Wed, 12 Jun 2024 15:17:33 -0400
Message-ID: <1514893.1718219853@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/1514893.1718219853%40sss.pgh.pa.us>
Precedence: bulk

Casey & Gina <cg@osss.net> writes:
> So why can't I use SSL when connecting from a client to a UNIX socket?

(1) It'd add overhead without adding any security.  Data going through
a UNIX socket will only pass through the local kernel, and if that's
compromised then it's game over anyway.

(2) I'm less sure about this part, but I seem to recall that openssl
doesn't actually work if given a UNIX socket.

Maybe there are reasons why those arguments are obsolete, but you
haven't presented any.

			regards, tom lane