Is this a known feature of 8.1 SSL connection?

On Mon, Nov 01, 2010 at 11:54:25AM -0400, zhong ming wu wrote:

I don't recall this being an issue with 8.4 I am also using

Say your 8.1 server has SSL on. Even though pg_hba.conf have

host or hostnossl .... md5

either server or 8.1 psql insists that you have .postgresql/postgresql.*

Does that make sense to you?

Note: no "cert" in pg_hba.conf

no, that does not make sense to me, however, I don't have an 8.x to play with.

In 9.0.1,
with hostnossl+md5
ssl=on
no ~/.postgresql on the client

$ psql -p 5498 template1 postgres
Password for user postgres:
psql (9.0.1)
Type "help" for help.

template1=# \q

what is the postmaster msg exactly?

On Tue, Nov 2, 2010 at 11:25 AM, Ray Stell <stellr@cns.vt.edu> wrote:

On Tue, Nov 02, 2010 at 09:03:59AM -0400, zhong ming wu wrote:

On Mon, Nov 1, 2010 at 5:06 PM, Ray Stell <stellr@cns.vt.edu> wrote:

no, that does not make sense to me, however, I don't have an 8.x to

play

with.

In 9.0.1,
with hostnossl+md5
ssl=on
no ~/.postgresql on the client

$ psql -p 5498 template1 postgres
Password for user postgres:
psql (9.0.1)
Type "help" for help.

template1=# \q

what is the postmaster msg exactly?

psql 8.1 Client on 32 bit. 8.1 Server on 64 bit. Both centos 5.4.

Client message:
-----------------------
psql: could not open certificate file
"/some/path/.postgresql/postgresql.crt" no such file ro directory
------------------
Server log:
----------------------
Could not accept SSL connection: peer did not return a certificate.
-----------------------

Now when a certificate was supplied the connection was made sucessfully

with

hostnossl

And at the psql prompt, I do not get "ssl connection" details as expected
for hostnossl connection.

The psql command used

psql -h 192.168.56.101 -U testuser test

well, that is really strange. I wish I could help you by looking at an 8.x
install, but I don't have time right now. If we assume the code works the
same way in in 8 and 9, which I think they probably do, then I'd have to

ask

if you are sure you are looking at the right config. Maybe you have more
than one test db? I'm sure you are not making that mistake.

Good question. First, it's not easy to get confused like this because server
logs lives in $PGDATA/pg_log/ and pg_hba.conf is in $PGDATA
That is the production system where I first experienced the error.

The errors I sent you above were generated on two freshly made virtualboxes
with prepackaged 8.1 that comes with centos.

On Tue, Nov 2, 2010 at 1:43 PM, Ray Stell <stellr@cns.vt.edu> wrote:

Good question. First, it's not easy to get confused like this because

server

logs lives in $PGDATA/pg_log/

this is configurable in postgresql.conf. you can set the logs to any dir
that exists and is writable by the software owner. Doing that wil make it
more clear what db you are really working with. I redirect to home:

log_directory = '/home/postgres/log/atlassian'

Sure. What I meant was that it was configured to what I wrote above and that
I was not looking in the wrong log.

Sorry to top post but it's this email client ..

pg_hba.conf is bare bone

Besides it asks for certs but it obviously does not do SSL connection at the
end

On Nov 2, 2010 2:12 PM, "Ray Stell" <stellr@cns.vt.edu> wrote:

On Tue, Nov 02, 2010 at 01:54:34PM -0400, zhong ming wu wrote:

On Tue, Nov 2, 2010 at 1:43 PM, Ray...

oh, well so the 8.1 pg is doing something strange then. the only other
thing
I can think of is that maybe the rules in pg_hba are top down and it hits
a rule before the one you are reporting. I'm not exactly sure that's how
it works, but that would expain the problem.