Re: SSL between Primary and Seconday PostgreSQL DBs - Mailing list pgsql-general
From | Susan Joseph |
---|---|
Subject | Re: SSL between Primary and Seconday PostgreSQL DBs |
Date | |
Msg-id | 1030654552.2676681.1599138579381@mail.yahoo.com Whole thread Raw |
In response to | Re: SSL between Primary and Seconday PostgreSQL DBs (Susan Joseph <sandajoseph@verizon.net>) |
Responses |
Re: SSL between Primary and Seconday PostgreSQL DBs
|
List | pgsql-general |
So I made the changes on the secondary to change the sslmode to verify-full
I removed the clientcert=1 in pg_hba.conf and removed any connections other than ssl
I removed the passfile info from recovery.conf
and now I am getting this error:
2020-09-03 13:01:49.990 UTC [7963] FATAL: could not connect to the primary server: server certificate for "lc-subca-pg.theforest.sap" does not match host name "192.168.1.142"
My certificate for my primary is:
Version: 3
Serial: 0x1B
Issuer: CN=LifeCycle SubCA, OU=CA, OU=DoDSAP, OU=DoD, O=U.S. Government, C=US
Subject: CN=lc-subca-pg.theforest.sap, OU=NPE, OU=DoDSAP, OU=DoD, O=U.S. Government, C=US
NotBefore: 20 AUG 2020 16:46:48 GMT
NotAfter: 05 AUG 2028 18:51:19 GMT
KeyType: RSA2048
Signature Algorithm: sha384RSA
Extensions:
Enhanced Key Usage
Server Authentication
Client Authentication
Key Usage
(Critical)
Digital signature
Key encipherment
(A0)
Subject Alternative Name
DNS name: lc-subca-pg.theforest.sap
IP Address: 192.168.1.142
Subject Key Identifier
FF4C0DCD62B17F99935DB3977D49711892958E20
Authority Key Identifier
Key ID: 6495303FEB8925B9C83B7A63FF7F026C974E308E
SHA-1 Fingerprint: 51B1A879EB5ADAFA23042A8E84165CF89438F29B
Serial: 0x1B
Issuer: CN=LifeCycle SubCA, OU=CA, OU=DoDSAP, OU=DoD, O=U.S. Government, C=US
Subject: CN=lc-subca-pg.theforest.sap, OU=NPE, OU=DoDSAP, OU=DoD, O=U.S. Government, C=US
NotBefore: 20 AUG 2020 16:46:48 GMT
NotAfter: 05 AUG 2028 18:51:19 GMT
KeyType: RSA2048
Signature Algorithm: sha384RSA
Extensions:
Enhanced Key Usage
Server Authentication
Client Authentication
Key Usage
(Critical)
Digital signature
Key encipherment
(A0)
Subject Alternative Name
DNS name: lc-subca-pg.theforest.sap
IP Address: 192.168.1.142
Subject Key Identifier
FF4C0DCD62B17F99935DB3977D49711892958E20
Authority Key Identifier
Key ID: 6495303FEB8925B9C83B7A63FF7F026C974E308E
SHA-1 Fingerprint: 51B1A879EB5ADAFA23042A8E84165CF89438F29B
Susan Joseph
sandajoseph@verizon.net
sandajoseph@verizon.net
-----Original Message-----
From: Susan Joseph <sandajoseph@verizon.net>
To: sfrost@snowman.net <sfrost@snowman.net>
Cc: pgsql-general@postgresql.org <pgsql-general@postgresql.org>
Sent: Thu, Sep 3, 2020 8:55 am
Subject: Re: SSL between Primary and Seconday PostgreSQL DBs
From: Susan Joseph <sandajoseph@verizon.net>
To: sfrost@snowman.net <sfrost@snowman.net>
Cc: pgsql-general@postgresql.org <pgsql-general@postgresql.org>
Sent: Thu, Sep 3, 2020 8:55 am
Subject: Re: SSL between Primary and Seconday PostgreSQL DBs
This is great, thanks. I have not heard of verify-full but I will try that and let you know if I have issues.
So I will remove the passfile info for recovery.conf. It was there because I first set it up using passwords to make sure it was working and then moved to SSL so if not needed I can remove it.
So if I don't put clientcert=1 do I just leave it at cert or should it be set to something else?
I will try and drop the other connection lines in the pg_hba.conf but I thought the last time I did that it through an error. Let me try it again and see if it works.
So are you saying that "sslmode=verify-ca" doesn't actually verify that the certificate is from a CA it trusts?
So my big question is: am I really adding more security by turning on SSL or is it just more work for the DBA?
Susan Joseph
sandajoseph@verizon.net
sandajoseph@verizon.net
-----Original Message-----
From: Stephen Frost <sfrost@snowman.net>
To: Susan Joseph <sandajoseph@verizon.net>
Cc: pgsql-general@postgresql.org <pgsql-general@postgresql.org>
Sent: Thu, Sep 3, 2020 8:28 am
Subject: Re: SSL between Primary and Seconday PostgreSQL DBs
Greetings,
* Susan Joseph (sandajoseph@verizon.net) wrote:
> - primary_conninfo = 'user=rep_user passfile=''/data/.pgpass'' host=<Primary DB IP> port=5432 sslmode=verify-ca sslcert=client.crt sslkey=client.key sslcompression=0 target_session_attrs=any'
You really should be using sslmode=verify-full, otherwise any
certificate signed by a trusted CA on the server side is accepted.
Also, you shouldn't really need to pass in 'passfile' above...
> - On the Secondary I edit the pg_hba.conf file and change the rep_user line to:
>
> - hostssl replication rep_user <primary IP>/32 cert clientcert=1
Saying clientcert=1 when using cert auth really shouldn't be needed.
> My questions are:
> - Do I need to set the information in the Secondary postgresql.conf? Originally I did not set this and everything worked but I saw errors in my log files that said to do SSL these needed to be set so I went back and set them. Are there pgsql commands I can run to test that my SSL is working in both directions?
The only connection you're talking about here is from the secondary to
the primary and for that you just need the primary_conninfo settings for
the secondary set up correctly and the SSL settings on the primary.
However, if you want people to be able to make SSL connections to the
secondary, then you need to configure SSL on the secondary.
As for testing the connection, see the pg_stat_ssl view.
> - Are my pg_hba.conf files set correctly? Is that how you get SSL "turned on" for communications between the primary and the rep_user account?
'hostssl' will only match an incoming connection if it's being made over
SSL. As long as you don't have anything else in your pg_hba.conf, then
only SSL connections will be allowed. However, first entry in the
pg_hba.conf matches, so if you have earlier entries, those might be
getting used instead.
> - If I leave my key file encrypted then every time my databases have to be started have to enter the password. So you can either leave the passwords unencrypted and set the permissions on the file to 0600 accessible only by postgres or you can enter the key password each time the database is started up. As someone in the security field I have a tough time leaving the key unencrypted but as some setting up a production system that is located on a network that you can't get to without directly accessing the server I feel that is enough security that I can leave them unencrypted. Thoughts?
You could use a vaulting system to pull the key and make it available at
startup and then remove it after, perhaps, but I would suggest that it's
pretty common to have SSL keys unencrypted on systems which are doing
SSL and otherwise secured.
> - Am I missing anything? There are no videos out there that show how to stand up a 2 way SSL communication channel between the primary and secondary, or does anyone have one that they can share?
Unfortunately, there's definitely areas here where we could, and really
should, improve when it comes to logging exactly what validation has
been done on incoming connections, to provide the kind of reassurance
you're looking for. Things like the difference between verify-ca and
verify-full aren't really very well explained, particularly since it's
very uncommon, in my experience, for people who have used SSL/TLS in
other places to have any concept of "verify-ca" since it's basically
"don't actually verify that the other side is who they claim to be"..
Thanks,
Stephen
From: Stephen Frost <sfrost@snowman.net>
To: Susan Joseph <sandajoseph@verizon.net>
Cc: pgsql-general@postgresql.org <pgsql-general@postgresql.org>
Sent: Thu, Sep 3, 2020 8:28 am
Subject: Re: SSL between Primary and Seconday PostgreSQL DBs
Greetings,
* Susan Joseph (sandajoseph@verizon.net) wrote:
> - primary_conninfo = 'user=rep_user passfile=''/data/.pgpass'' host=<Primary DB IP> port=5432 sslmode=verify-ca sslcert=client.crt sslkey=client.key sslcompression=0 target_session_attrs=any'
You really should be using sslmode=verify-full, otherwise any
certificate signed by a trusted CA on the server side is accepted.
Also, you shouldn't really need to pass in 'passfile' above...
> - On the Secondary I edit the pg_hba.conf file and change the rep_user line to:
>
> - hostssl replication rep_user <primary IP>/32 cert clientcert=1
Saying clientcert=1 when using cert auth really shouldn't be needed.
> My questions are:
> - Do I need to set the information in the Secondary postgresql.conf? Originally I did not set this and everything worked but I saw errors in my log files that said to do SSL these needed to be set so I went back and set them. Are there pgsql commands I can run to test that my SSL is working in both directions?
The only connection you're talking about here is from the secondary to
the primary and for that you just need the primary_conninfo settings for
the secondary set up correctly and the SSL settings on the primary.
However, if you want people to be able to make SSL connections to the
secondary, then you need to configure SSL on the secondary.
As for testing the connection, see the pg_stat_ssl view.
> - Are my pg_hba.conf files set correctly? Is that how you get SSL "turned on" for communications between the primary and the rep_user account?
'hostssl' will only match an incoming connection if it's being made over
SSL. As long as you don't have anything else in your pg_hba.conf, then
only SSL connections will be allowed. However, first entry in the
pg_hba.conf matches, so if you have earlier entries, those might be
getting used instead.
> - If I leave my key file encrypted then every time my databases have to be started have to enter the password. So you can either leave the passwords unencrypted and set the permissions on the file to 0600 accessible only by postgres or you can enter the key password each time the database is started up. As someone in the security field I have a tough time leaving the key unencrypted but as some setting up a production system that is located on a network that you can't get to without directly accessing the server I feel that is enough security that I can leave them unencrypted. Thoughts?
You could use a vaulting system to pull the key and make it available at
startup and then remove it after, perhaps, but I would suggest that it's
pretty common to have SSL keys unencrypted on systems which are doing
SSL and otherwise secured.
> - Am I missing anything? There are no videos out there that show how to stand up a 2 way SSL communication channel between the primary and secondary, or does anyone have one that they can share?
Unfortunately, there's definitely areas here where we could, and really
should, improve when it comes to logging exactly what validation has
been done on incoming connections, to provide the kind of reassurance
you're looking for. Things like the difference between verify-ca and
verify-full aren't really very well explained, particularly since it's
very uncommon, in my experience, for people who have used SSL/TLS in
other places to have any concept of "verify-ca" since it's basically
"don't actually verify that the other side is who they claim to be"..
Thanks,
Stephen
pgsql-general by date: