ssl

On Wed, 19 Mar 2003, pg wrote:

I'm using redhat 8.0 and postgresql 7.2.4 (rpm from postgresql.org). I want
to enable ssl.

I have edited postgresql.conf to ssl = true. I also follow the 7.3 manual
(from postgresql.org) to create certificates and placed them in
/var/lib/pgsql/data/. Then restart the server with /etc/init.d/postgresql
restart. The result is [Failed]. What else should I do? Or procedure for 7.3
is different from 7.2.4? Or the rpm does not have ssl enabled when compile?

How does it fail? Just with a '[Failed]' message in the logs?

I must say my non rpm installation doesn't seem to pick up the hostssl line in
pg_hba. Or at least it doesn't match it when a connection comes in. I didn't
get very far into looking into that so it's probably something I'm doing wrong.

FWIW, my pg_hba entry is:

hostssl all all xx.xx.xx.xx 255.255.255.240 md5

and the error I get is:

FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc

--
Nigel J. Andrews

"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:

I must say my non rpm installation doesn't seem to pick up the hostssl line in
pg_hba. Or at least it doesn't match it when a connection comes in. I didn't
get very far into looking into that so it's probably something I'm doing wrong.

FWIW, my pg_hba entry is:
hostssl all all xx.xx.xx.xx 255.255.255.240 md5
and the error I get is:
FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc

I believe it would act that way if the incoming connection is non-SSL
(which suggests that your libpq isn't compiled with SSL support).

regards, tom lane

On Wed, 19 Mar 2003, Tom Lane wrote:

"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:

I must say my non rpm installation doesn't seem to pick up the hostssl line in
pg_hba. Or at least it doesn't match it when a connection comes in. I didn't
get very far into looking into that so it's probably something I'm doing wrong.

FWIW, my pg_hba entry is:
hostssl all all xx.xx.xx.xx 255.255.255.240 md5
and the error I get is:
FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc

I believe it would act that way if the incoming connection is non-SSL
(which suggests that your libpq isn't compiled with SSL support).

Interesting you should say that because I know remember what happened, slap me
with a wet fish later for the noise.

I'm convinced I rebuilt on the workstation in order to get a libpq with ssl. I
am equally convinced I tested it and it worked. Then a couple of days later
trying to get the developers using Windows to be able to connect I looked at it
again and I found my psql was no longer linked against the ssl library. Was
very wierd.

However, I never was able to get the developers connected. I may need to
revisit that later.

Sorry for the noise, my memory is going.

--
Nigel Andrews

How is one supposed to connect to the SSL connection from script languages?

Nigel J. Andrews wrote:

On Wed, 19 Mar 2003, Dennis Gearon wrote:

How is one supposed to connect to the SSL connection from script languages?

If they're using libpq which I believe the non pure perl interface does then it
should be transparent if the client's libpq has been built with ssl
enabled. The tcl interface uses libpq no doubt, I don't know about python but I
don't see why it wouldn't and of course psql uses libpq so that's covered as
well.

ssh tunneling works I believe as well...indeed, trawling my memory again, may
be that's what I had working and I never did rebuild the workstation's package
with ssl. Oh well, there's that memory thing again.

Nigel Andrews

Oh, my problem is My server doesn't even start, and there's no log about
this start failure. Screen dump as below :

============
[root@local init.d]# ./postgresql start
Starting postgresql service: [ FAILED ]
============

Does the postgresql contained in standard (from postgresql.org) compiled
with ssl enabled?

-Jason

----- Original Message -----
From: "Nigel J. Andrews" <nandrews@investsystems.co.uk>
To: "pg" <pg@newhonest.com>
Cc: <pgsql-general@postgresql.org>
Sent: Wednesday, March 19, 2003 4:51 PM
Subject: Re: [GENERAL] ssl

On Wed, 19 Mar 2003, pg wrote:

I'm using redhat 8.0 and postgresql 7.2.4 (rpm from postgresql.org). I

want

to enable ssl.

I have edited postgresql.conf to ssl = true. I also follow the 7.3

manual

(from postgresql.org) to create certificates and placed them in
/var/lib/pgsql/data/. Then restart the server with

/etc/init.d/postgresql

restart. The result is [Failed]. What else should I do? Or procedure for

7.3

is different from 7.2.4? Or the rpm does not have ssl enabled when

compile?

How does it fail? Just with a '[Failed]' message in the logs?

I must say my non rpm installation doesn't seem to pick up the hostssl

line in

pg_hba. Or at least it doesn't match it when a connection comes in. I

didn't

get very far into looking into that so it's probably something I'm doing

wrong.

On Thu, 2003-03-20 at 01:46, pg wrote:

Oh, my problem is My server doesn't even start, and there's no log about
this start failure. Screen dump as below :

============
[root@local init.d]# ./postgresql start
Starting postgresql service: [ FAILED ]
============

Does the postgresql contained in standard (from postgresql.org) compiled
with ssl enabled?

Find out thus:

$ ldd /usr/lib/postgresql/bin/postmaster
libpam.so.0 => /lib/libpam.so.0 (0x40023000)
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x4002c000)
...

So in my case the answer is yes.

--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight, UK http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"Every good gift and every perfect gift is from above,
coming down from the Father of the heavenly lights,
who does not change like shifting shadows."
James 1:17

It is yes in my case too :
[root@local root]# ldd /usr/bin/postmaster
libpam.so.0 => /lib/libpam.so.0 (0x40023000)
libssl.so.2 => /lib/libssl.so.2 (0x4002c000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x4005c000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x40130000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x4018d000)
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x4019d000)
libz.so.1 => /usr/lib/libz.so.1 (0x4019f000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x401ae000)
libresolv.so.2 => /lib/libresolv.so.2 (0x401db000)
libnsl.so.1 => /lib/libnsl.so.1 (0x401ed000)
libdl.so.2 => /lib/libdl.so.2 (0x40203000)
libm.so.6 => /lib/libm.so.6 (0x40206000)
libreadline.so.4 => /usr/lib/libreadline.so.4 (0x40228000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x40255000)
libc.so.6 => /lib/libc.so.6 (0x40259000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
So what have I done wrong??
I turned ssl = on in postgresql.conf, and restart postgresql. It just
failed.

-Jason

----- Original Message -----
From: "Oliver Elphick" <olly@lfix.co.uk>
To: "pg" <pg@newhonest.com>
Cc: "Nigel J. Andrews" <nandrews@investsystems.co.uk>;
<pgsql-general@postgresql.org>
Sent: Sunday, March 23, 2003 1:45 AM
Subject: Re: [GENERAL] ssl

"Jason" <pg@newhonest.com> writes:

So what have I done wrong??
I turned ssl = on in postgresql.conf, and restart postgresql. It just
failed.

No error message? If so, look again (or more likely, look to see why
your start script is routing the postmaster's complaint to /dev/null).

My private bet is that you haven't set up the key/certificate files
needed by SSL, but there's not much use in guessing about it. First
thing you need is to be able to say something more concrete than "it
just failed".

regards, tom lane

Hi Tom,

I've followed strictly as suggested by techdoc to create certs(server.crt,
server.key, server.req). The only two factors I'm not sure are :
1. where should I put those certs. I've put them in /var/lib/pgsql/data,
where postgresql.conf sitting.
2. what user rights should the certs be. The ones I have now are already
anybody readable.

After setting the above and ssl = on in postgresql.conf, I restart the
server with /etc/init.d/postgresql restart, it failled with no logging in
pgsql (which is logging all local0), or message.log (the system log).

-Jason

----- Original Message -----
From: "Tom Lane" <tgl@sss.pgh.pa.us>
To: "Jason" <pg@newhonest.com>
Cc: "Oliver Elphick" <olly@lfix.co.uk>; "Nigel J. Andrews"
<nandrews@investsystems.co.uk>; <pgsql-general@postgresql.org>
Sent: Monday, March 24, 2003 1:47 AM
Subject: Re: [GENERAL] ssl

Sorry for making this trouble. I chmod postgres.postgres server.*, and the
server started normally. Thanks for help.

-Jason

----- Original Message -----
From: "pg" <pg@newhonest.com>
To: "Tom Lane" <tgl@sss.pgh.pa.us>
Cc: "Oliver Elphick" <olly@lfix.co.uk>; "Nigel J. Andrews"
<nandrews@investsystems.co.uk>; <pgsql-general@postgresql.org>
Sent: Monday, March 24, 2003 11:26 AM
Subject: Re: [GENERAL] ssl