Re: SslTests failures - resolved - Mailing list pgsql-jdbc

From Mikko Tiihonen
Subject Re: SslTests failures - resolved
Date
Msg-id 4ECC0E77.1080500@nitorcreations.com
Whole thread Raw
In response to Re: SslTests failures  (Mikko Tiihonen <mikko.tiihonen@nitorcreations.com>)
Responses Re: SslTests failures - resolved
List pgsql-jdbc
On 11/22/2011 10:31 PM, Mikko Tiihonen wrote:
> On 11/22/2011 09:40 PM, Dave Cramer wrote:
>> Mikko,
>>
>> You probably (like me) have a very permissive pg_hba.conf file. It
>> needs to be restricted so that local databases need to connect via
>> ssl. At least that was my experience.
>
> Thanks, that helped me further. I had to uncomment all lines starting with
> "host all" or use the provided pg_hba.conf as is.
>
> Now I have only 28 failures:
> sslcertgh[89]-disable*
> sslcertbh[89]-disable*
>
> They fail with "Connection rejected: FATAL: certificate authentication failed for user "jdbctest" on jdbc driver side
> and "LOG: provided user name (jdbctest) and authenticated user name (test) do not match" on server side.
>
> I cannot see where the authenticated user name "test" can come from unless it is inside the certificates - in which
caseI'll update the 
> documentation to say that the postgres account for SSL tests must be named "test".

After running "createuser test -P" all ssl tests pass.

Here is the final patch to the README to document what next user has to do to set up the tests.

Index: certdir/README
===================================================================
RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v
retrieving revision 1.1
diff -u -r1.1 README
--- certdir/README    17 Nov 2011 11:27:50 -0000    1.1
+++ certdir/README    22 Nov 2011 21:01:58 -0000
@@ -40,5 +40,18 @@
  #Common name is localhost, no password

  The subdirectory server contains what should be copied to the PGDATA directory.
+If you do not overwrite the pg_hba.conf then remember to comment out all lines
+starting with "host all".

  For the tests the sslinfo module must be installed into every database.
+The ssl=on must be set in postgresql.conf
+
+The following command creates the databases and installs the sslinfo module.
+
+for db in hostssldb hostnossldb certdb hostsslcertdb; do
+  createdb $db
+  psql $db -c "create extension sslinfo"
+done
+
+The username for connecting to postgres as specified in build.local.properties tests has to be "test".
+

pgsql-jdbc by date:

Previous
From: Mikko Tiihonen
Date:
Subject: Re: SslTests failures
Next
From: alkampfer
Date:
Subject: Re: bytea problem