Re: SslTests failures - Mailing list pgsql-jdbc

From Mikko Tiihonen
Subject Re: SslTests failures
Date
Msg-id 4ECC0698.7000305@nitorcreations.com
Whole thread Raw
In response to Re: SslTests failures  (Dave Cramer <pg@fastcrypt.com>)
Responses Re: SslTests failures - resolved
List pgsql-jdbc
On 11/22/2011 09:40 PM, Dave Cramer wrote:
> Mikko,
>
> You probably (like me) have a very permissive pg_hba.conf file. It
> needs to be restricted so that local databases need to connect via
> ssl. At least that was my experience.

Thanks, that helped me further. I had to uncomment all lines starting with
"host all" or use the provided pg_hba.conf as is.

Now I have only 28 failures:
sslcertgh[89]-disable*
sslcertbh[89]-disable*

They fail with "Connection rejected: FATAL:  certificate authentication failed for user "jdbctest" on jdbc driver side
and "LOG:  provided user name (jdbctest) and authenticated user name (test) do not match" on server side.

I cannot see where the authenticated user name "test" can come from unless it is inside the certificates - in which
caseI'll update the 
documentation to say that the postgres account for SSL tests must be named "test".


> On Tue, Nov 22, 2011 at 2:34 PM, Mikko Tiihonen
> <mikko.tiihonen@nitorcreations.com>  wrote:
>> Hi,
>>
>> I'm trying to run the SslTests but get 88 failures. It is probably something
>> I set up wrong in the environment.
>>
>> The following tests fail:
>>
>> sslhostnossl[89]-requireG*
>> sslhostnossl[89]-verify-caGG*
>> sslhostnossl[89]-verify-fullGG*
>>
>> sslhostsslgh[89]-disable*
>> sslhostsslbh[89]-disable*
>>
>> sslhostcertgh[89]-disable*
>> sslhostcertbh[89]-disable*
>>
>> sslcertgh[89]-disable*
>> sslcertbh[89]-disable*
>>
>> All of them fail with unexpectedly successful connection (meaning: test
>> expected connection opening to fail but it succeeded).
>>
>> Here is a patch to the ssltest documentation describing how I have tried to
>> set-up the environment.
>>
>>
>> Index: certdir/README
>> ===================================================================
>> RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v
>> retrieving revision 1.1
>> diff -u -r1.1 README
>> --- certdir/README      17 Nov 2011 11:27:50 -0000      1.1
>> +++ certdir/README      22 Nov 2011 19:29:27 -0000
>> @@ -42,3 +42,11 @@
>>   The subdirectory server contains what should be copied to the PGDATA
>> directory.
>>
>>   For the tests the sslinfo module must be installed into every database.
>> +The ssl=on must be set in postgresql.conf
>> +
>> +The following command creates the databases and installs the sslinfo
>> module.
>> +
>> +for db in hostssldb hostnossldb certdb hostsslcertdb; do
>> +  createdb $db
>> +  psql $db -c "create extension sslinfo"
>> +done
>>
>> --
>> Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-jdbc
>>


pgsql-jdbc by date:

Previous
From: chris humphrey
Date:
Subject: Re: bytea problem
Next
From: Mikko Tiihonen
Date:
Subject: Re: SslTests failures - resolved