0

i use npgsql version 2270 and i would to secure my connection passing db password NOT in cleartext and with capability to use SSL connection on a preconfigured postgresql server. My doubt is about how set the connection string with npgsql.

I tryed adding ssl=true sslmode=prefer to conn string but i have not idea about how to verify if it work.
Is sufficient for secure data transit? is string correct?
Is needed to activate ssl also on server is right?
How can i verify if data transit on ssl mode ? Thanks all.

Improve this question

1 Answer 1

Reset to default
1

First, SSL isn't really about encrypting your password - it's about encrypting the entire stream. If you use PostgreSQL's md5 authentication method (see your pg_hba.conf), then passwords are never transferred in cleartext regardless of whether you're using SSL or not.

To use SSL, it's better to set SSL Mode to require rather than prefer: the latter will attempt to establish an SSL connection, but will fallback to non-SSL if the server doesn't support it. require will fail the connection attempt if SSL could not be established.

Regardless, yes, you need to set up SSL on PostgreSQL, including a certificate and a private key - you can read about this in the documentation.

If the aim is only to avoid sending passwords in cleartext, using md5 (or sha256 in more recent versions) is the simplest way.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thanks Shay, i've confused ideas... in my pg_hba.conf i have set a MD5 method for password, but i pass the password in clear-text from my client front-end ....and it run perfectly...how is possible ? Wich is the correct way, encrypt password in MD5 from client and after pass to connection string ? Or is correct to pass in clear-text as i do for now ? Sorry for my bad question but i don't understand why it actually run...
MD5 means that your frontend (driver, whatever) hashes the cleartext you give it before sending it over the network - so the cleartext is never sent.
ok Shay...but it hashes automatically the password i pass in clear-text and after that send it hashed to the server or have i tuo manually hash the password in md5 and after that pass the hashed value to connection string ? This is what i have not understand
Npgsql (and all other normal clients) accept a cleartext password from you, hash it and send that to PostgreSQL. Anyone listening on the network can't see anything.
If i send password hashed in md5 It return An error. .. is because the password must be saved as md5 format in db server field i suppose, is right? At Now password are memorized as Clear text on db tale But specifying md5 And passing as Clear text It connect. ..
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.