Documentation asserts that, given this variable, libpq will attempt SSL connections only. Instead, libpq ignores the variable and attempts a non-SSL connection after an SSL connection fails. (libpq is a prominent programming interface for PostgreSQL clients.) An attacker intercepting session startup could compel use of a non-SSL connection, then record or modify the remainder of the session. The long-preferred PGSSLMODE environment variable does not have this problem and provides strictly more control. Affected versions: 9.3 - 9.6
Acknowledgments: Name: the PostgreSQL project Upstream: Daniel Gustafsson
Upstream patch : * Restore PGREQUIRESSL recognition in libpq. https://github.com/postgres/postgres/commit/0170b10
Mitigation: Use PGSSLMODE=require instead of PGREQUIRESSL=1
External References: https://www.postgresql.org/about/news/1746/
Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1450116] Affects: fedora-all [bug 1450117] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1450115]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:1677 https://access.redhat.com/errata/RHSA-2017:1677
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:1678 https://access.redhat.com/errata/RHSA-2017:1678
This issue has been addressed in the following products: Red Hat Satellite 5.8 Red Hat Satellite 5.8 ELS Via RHSA-2017:1838 https://access.redhat.com/errata/RHSA-2017:1838
This issue has been addressed in the following products: Red Hat Satellite 5.7 Via RHSA-2017:2425 https://access.redhat.com/errata/RHSA-2017:2425