Hi Magnus,
Thanks for the help. I'll take a look at fe-connect.c and see if I can
get my JDBC driver working.
Is anyone within the Postgres project currently adding SSL support to
JDBC? Anyone interested in the patches once I get everything working?
-Paul
Magnus Hagander wrote:
> Hi!
>
> SSL is not enabled at connection time in pgsql - it is negotiatied with
> the postmaster, and enabled later. You need to send a correctly
> formatted start message in clear text to the postmaster to initiate the
> SSL negotiation first, and turn on SSL after that (assuming the
> postmaster reports that SSL is Ok).
> This is done so the postmaster can listen for both SSL and non-SSL
> connections on the same port.
>
> Take a look at how libpq does it. In 7.1.3, it starts at line 963 in
> interfaces/libpq/fe-connect.c.
> (Sorry, don't have the source to a newer version around right now - look
> for comment on 'Attempt to negotiate SSL usage').
>
> //Magnus
>
>
>>-----Original Message-----
>>From: Paul Legato [mailto:plegato@nks.net]
>>Sent: Tuesday, August 06, 2002 5:47 PM
>>To: pgsql-admin@postgresql.org
>>Cc: pgsql-jdbc@postgresql.org
>>Subject: [ADMIN] Connecting via SSL not working (except from psql)
>>
>>
>>Hi,
>>
>>I'm trying to connect to SSL-enabled Postgres (started with
>>-i -l) using
>>both the openssl command line utility and with a modified JDBC driver
>>using the built in JSSE API from Java 1.4.
>>
>>If I attempt to connect from a shell with the openssl test
>>utility, I get:
>>
>>$ openssl s_client -connect localhost:5432
>>CONNECTED(00000003)
>>25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>>protocol:s23_clnt.c:460:
>>
>>With the JDBC driver, at connection I get:
>>
>>javax.net.ssl.SSLException: Unrecognized SSL message,
>>plaintext connection?
>>
>>In both cases, the server logs the message "FATAL 1: invalid
>>length of
>>startup packet".
>>
>>A connection to the server with psql works fine, and prints "SSL
>>connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried
>>manually specifying this cipher to openssl, which does not change the
>>result.
>>
>>I'm stuck. Any suggestions or pointers will be greatly appreciated. :)
>>
>>Thanks,
>>-Paul
>>
>>
>>---------------------------(end of
>>broadcast)---------------------------
>>TIP 3: if posting/reading through Usenet, please send an
>>appropriate subscribe-nomail command to
>>majordomo@postgresql.org so that your message can get through
>>to the mailing list cleanly
>>
>