当我查看与 RDS 实例的未加密连接时,我看到来自
rdsadminselect * from pg_stat_ssl join pg_stat_activity on pg_stat_ssl.pid = pg_stat_activity.pid where ssl = 'f';
-[ RECORD 1 ]----+---------------------------------
pid | 15497
ssl | f
version |
cipher |
bits |
client_dn |
client_serial |
issuer_dn |
datid | 16384
datname | rdsadmin
pid | 15497
leader_pid |
usesysid | 10
usename | rdsadmin
application_name | PostgreSQL JDBC Driver
client_addr |
client_hostname |
client_port | -1
backend_start | 2023-08-10 10:49:38.897878+00
xact_start |
query_start | 2023-08-24 00:04:46.134798+00
state_change | 2023-08-24 00:04:46.134818+00
wait_event_type | Client
wait_event | ClientRead
state | idle
backend_xid |
backend_xmin |
query_id |
query | SELECT value FROM rds_heartbeat2
backend_type | client backend
-[ RECORD 2 ]----+---------------------------------
pid | 6860
ssl | f
version |
cipher |
bits |
client_dn |
client_serial |
issuer_dn |
datid | 16384
datname | rdsadmin
pid | 6860
leader_pid |
usesysid | 10
usename | rdsadmin
application_name |
client_addr |
client_hostname |
client_port | -1
backend_start | 2023-08-12 20:39:03.838202+00
xact_start |
query_start | 2023-08-24 00:04:52.645568+00
state_change | 2023-08-24 00:04:52.645632+00
wait_event_type | Client
wait_event | ClientRead
state | idle
backend_xid |
backend_xmin |
query_id | 3694949039461716331
query | COMMIT
backend_type | client backend
-1 的 client_port 表示这些是通过 Unix 域套接字的本地连接。这些不支持 SSL,也不需要它。由于数据不穿越网络,因此不易受到窃听/中间人攻击。任何能够掌握传输中数据的人都已经能够为所欲为。