Default to SSL with hardcoded AWS Redshift CA

[graingert]

You can still override this by setting {'sslmode': 'disable'}

In fact I'd recommend using {'sslmode': 'verify-full', 'sslrootcert': '/path/to/redshift-ssl-ca-cert.pem'}

[graingert]

@jklukas @thisfred @bouk: Thoughts?

[thisfred]

lgtm, and I think it makes sense to use SSL by default.

[jklukas]

From http://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html:

Amazon Redshift does not support verify-full. For more information about sslmode options, see SSL Support in the PostgreSQL documentation.

So, if this is working, it's probably not doing what we think it's doing.

[graingert]

I've been running with verify-full in production for several months now

[graingert]

I think using "sslrootcert" is making this work for us

[graingert]

I'll mess about with wireshark on this at home.

[graingert]

It looks like the redshift cluster is sending a valid ServerCertificate (when validated with redshift-ssl-ca-cert.pem) with the correct common name: "redshift-sqlalchemy-test.cforsfjmjsja.us-west-2.redshift.amazonaws.com" see https://gist.github.com/graingert/3a46c493520db7caa460#file-redshift-tls-server-hello-txt-L188

So there is no reason that verify-ssl should not be working as designed.

[graingert]

I'll be sticking with "verify-full" unless someone reports issues with it, because the documentation on that page that's not wrong is dangerous.

Under the configuration here: https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html clients will accept certificates minted by Amazon for any Internet server, and anyone with any valid certificate will be able to MITM connections to the redshift server.

If you're using "verify-ca" with your system ca-store your connection can be easily compromised with any free x509 certificate.