Re: ssl database connection problems... - Mailing list pgsql-admin

From Ray Stell
Subject Re: ssl database connection problems...
Date
Msg-id 20090123200253.GB1466@cns.vt.edu
Whole thread Raw
In response to Re: ssl database connection problems...  (Carol Walter <walterc@indiana.edu>)
List pgsql-admin
On Fri, Jan 23, 2009 at 02:04:21PM -0500, Carol Walter wrote:
>>>
>>> ssl_ciphers 'ALL:!ADH:!LOW:@STRENGTH'

I don't understand this syntax, is it described somewhere to your
knowledge.  The doc say to see the openssl docs, so I went
fishing there.  Maybe one of these will work:

>  openssl ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
...
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export



> Yes, This says "All but ADH and low."  I changed this line to just be
> ssl_ciphers = 'ALL' .  Stopped, started, and re-ran and it still doesn't
> connect.  The messages in the log file say "cipher or hash unavailable".

maybe that means the ALL I guessed is wrong, but idunno, the documentation
doesn't say what that string means.


> Since the files of the ciphers are definitely on the system, this suggests
> that either postgres doesn't know where to find them or the permission on
> them are wrong.

it should, seems like that would have been handled in your compile pointing to
the libs.


> The default is
> #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'      # allowed SSL

I don't know what this means, these are not listed in the openssl docs
that is pointed to.   Guess we could go read the pg source and figure
out what they do with this config line, maybe.  We need a clue here...


> how to tell postgres which set of cipher files to use.  It's in the OpenSSL
> path, but not the complete path.

I thinking that is covered in the compile and you are not using the config
line to pgs liking, but that's just a guess.

Sorry, I can't try this stuff myself, buried in Oracle cruft right now.

pgsql-admin by date:

Previous
From: Tom Lane
Date:
Subject: Re: triggers on system tables ?
Next
From: Ezra Taylor
Date:
Subject: postgresql and xfs filesystrem