Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHTjW-0081N0-NC
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 19:34:11 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHTjU-005muv-Gr
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 19:34:09 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <daniel@yesql.se>)
	id 1sHTi0-005hhy-Cr
	for pgsql-general@lists.postgresql.org; Wed, 12 Jun 2024 19:32:37 +0000
Received: from smtp.outgoing.loopia.se ([93.188.3.37])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <daniel@yesql.se>)
	id 1sHThz-001Kl7-1G
	for pgsql-general@postgresql.org; Wed, 12 Jun 2024 19:32:36 +0000
Received: from s807.loopia.se (localhost [127.0.0.1])
	by s807.loopia.se (Postfix) with ESMTP id 953C5301BB09
	for <pgsql-general@postgresql.org>; Wed, 12 Jun 2024 21:32:34 +0200 (CEST)
Received: from s899.loopia.se (unknown [172.22.191.5])
	by s807.loopia.se (Postfix) with ESMTP id 843DC2E2D45C;
	Wed, 12 Jun 2024 21:32:34 +0200 (CEST)
Received: from s471.loopia.se (unknown [172.22.191.6])
	by s899.loopia.se (Postfix) with ESMTP id 81F262C8BA9A;
	Wed, 12 Jun 2024 21:32:34 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2
 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1] autolearn=disabled
Authentication-Results: s471.loopia.se (amavisd-new); dkim=pass (2048-bit key)
 header.d=yesql.se
Received: from s934.loopia.se ([172.22.191.5])
 by s471.loopia.se (s471.loopia.se [172.22.190.35]) (amavisd-new, port 10024)
 with LMTP id qlGghyP-poYs; Wed, 12 Jun 2024 21:32:34 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: daniel@yesql.se
X-Loopia-Originating-IP: 89.255.232.193
Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193])
	(Authenticated sender: daniel@yesql.se)
	by s934.loopia.se (Postfix) with ESMTPSA id DD4847CEA55;
	Wed, 12 Jun 2024 21:32:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se;
	s=loopiadkim1707475645; t=1718220753;
	bh=KzqgSaM1G3jUpUfmi71qTghzrI1nLYlciqx3DAqlOZo=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To;
	b=EzaGs+TyD8Ji0QsWPRumxjlysVs1TfhqIlf519nK/jdsbcrb+iexUJATAxHX9GW3G
	 FOK5Jb2g2V+WDfy81jeLmftb4YImAyFH/uilSWiyBAUZjpiDDa8SldETFC0VxdzyH/
	 Fs2z5lsJJ3VAKw6ws43/7LZPtNCHKg3zpL4OI9/bXscM8ClAU78tXm6RuCxYw4j3Xj
	 M4gy/8CATybN+EXK2qoBQ10QyYjgmXLLz/nHhpsAA1Toeuw7qyDIV9otOr5tmpOBY+
	 lo4Ky0qk15upqjC3O/gSySiXwx4+rB6d7KnVxMCy26PFEea2/4QzEsmweWgML+jgms
	 wy0VgLeMy+pFQ==
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Subject: Re: Question about UNIX socket connections and SSL
From: Daniel Gustafsson <daniel@yesql.se>
In-Reply-To: <1514893.1718219853@sss.pgh.pa.us>
Date: Wed, 12 Jun 2024 21:32:22 +0200
Cc: Casey & Gina <cg@osss.net>,
 pgsql-general@postgresql.org
Content-Transfer-Encoding: 7bit
Message-Id: <83B23251-97B6-453B-A63F-0B2A234E69AA@yesql.se>
References: <5EDB1F7F-569B-48B2-8DCD-44EE17D41F1A@osss.net>
 <1514893.1718219853@sss.pgh.pa.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/83B23251-97B6-453B-A63F-0B2A234E69AA%40yesql.se>
Precedence: bulk

> On 12 Jun 2024, at 21:17, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Casey & Gina <cg@osss.net> writes:
>> So why can't I use SSL when connecting from a client to a UNIX socket?
> 
> (1) It'd add overhead without adding any security.  Data going through
> a UNIX socket will only pass through the local kernel, and if that's
> compromised then it's game over anyway.
> 
> (2) I'm less sure about this part, but I seem to recall that openssl
> doesn't actually work if given a UNIX socket.

That indeed used to be the case, at least until 1.0.2 and possibly 1.1.1, but
AF_UNIX is supported in 3+ IIRC. That being said, I agree with your (1).

--
Daniel Gustafsson