Re: SslTests failures - Mailing list pgsql-jdbc
| From | Mikko Tiihonen |
|---|---|
| Subject | Re: SslTests failures |
| Date | |
| Msg-id | 4ECC0698.7000305@nitorcreations.com Whole thread Raw |
| In response to | Re: SslTests failures (Dave Cramer <pg@fastcrypt.com>) |
| Responses |
Re: SslTests failures - resolved
|
| List | pgsql-jdbc |
On 11/22/2011 09:40 PM, Dave Cramer wrote: > Mikko, > > You probably (like me) have a very permissive pg_hba.conf file. It > needs to be restricted so that local databases need to connect via > ssl. At least that was my experience. Thanks, that helped me further. I had to uncomment all lines starting with "host all" or use the provided pg_hba.conf as is. Now I have only 28 failures: sslcertgh[89]-disable* sslcertbh[89]-disable* They fail with "Connection rejected: FATAL: certificate authentication failed for user "jdbctest" on jdbc driver side and "LOG: provided user name (jdbctest) and authenticated user name (test) do not match" on server side. I cannot see where the authenticated user name "test" can come from unless it is inside the certificates - in which caseI'll update the documentation to say that the postgres account for SSL tests must be named "test". > On Tue, Nov 22, 2011 at 2:34 PM, Mikko Tiihonen > <mikko.tiihonen@nitorcreations.com> wrote: >> Hi, >> >> I'm trying to run the SslTests but get 88 failures. It is probably something >> I set up wrong in the environment. >> >> The following tests fail: >> >> sslhostnossl[89]-requireG* >> sslhostnossl[89]-verify-caGG* >> sslhostnossl[89]-verify-fullGG* >> >> sslhostsslgh[89]-disable* >> sslhostsslbh[89]-disable* >> >> sslhostcertgh[89]-disable* >> sslhostcertbh[89]-disable* >> >> sslcertgh[89]-disable* >> sslcertbh[89]-disable* >> >> All of them fail with unexpectedly successful connection (meaning: test >> expected connection opening to fail but it succeeded). >> >> Here is a patch to the ssltest documentation describing how I have tried to >> set-up the environment. >> >> >> Index: certdir/README >> =================================================================== >> RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v >> retrieving revision 1.1 >> diff -u -r1.1 README >> --- certdir/README 17 Nov 2011 11:27:50 -0000 1.1 >> +++ certdir/README 22 Nov 2011 19:29:27 -0000 >> @@ -42,3 +42,11 @@ >> The subdirectory server contains what should be copied to the PGDATA >> directory. >> >> For the tests the sslinfo module must be installed into every database. >> +The ssl=on must be set in postgresql.conf >> + >> +The following command creates the databases and installs the sslinfo >> module. >> + >> +for db in hostssldb hostnossldb certdb hostsslcertdb; do >> + createdb $db >> + psql $db -c "create extension sslinfo" >> +done >> >> -- >> Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-jdbc >>
pgsql-jdbc by date: