On 11/22/2011 10:31 PM, Mikko Tiihonen wrote:
> On 11/22/2011 09:40 PM, Dave Cramer wrote:
>> Mikko,
>>
>> You probably (like me) have a very permissive pg_hba.conf file. It
>> needs to be restricted so that local databases need to connect via
>> ssl. At least that was my experience.
>
> Thanks, that helped me further. I had to uncomment all lines starting with
> "host all" or use the provided pg_hba.conf as is.
>
> Now I have only 28 failures:
> sslcertgh[89]-disable*
> sslcertbh[89]-disable*
>
> They fail with "Connection rejected: FATAL: certificate authentication failed for user "jdbctest" on jdbc driver side
> and "LOG: provided user name (jdbctest) and authenticated user name (test) do not match" on server side.
>
> I cannot see where the authenticated user name "test" can come from unless it is inside the certificates - in which
caseI'll update the
> documentation to say that the postgres account for SSL tests must be named "test".
After running "createuser test -P" all ssl tests pass.
Here is the final patch to the README to document what next user has to do to set up the tests.
Index: certdir/README
===================================================================
RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v
retrieving revision 1.1
diff -u -r1.1 README
--- certdir/README 17 Nov 2011 11:27:50 -0000 1.1
+++ certdir/README 22 Nov 2011 21:01:58 -0000
@@ -40,5 +40,18 @@
#Common name is localhost, no password
The subdirectory server contains what should be copied to the PGDATA directory.
+If you do not overwrite the pg_hba.conf then remember to comment out all lines
+starting with "host all".
For the tests the sslinfo module must be installed into every database.
+The ssl=on must be set in postgresql.conf
+
+The following command creates the databases and installs the sslinfo module.
+
+for db in hostssldb hostnossldb certdb hostsslcertdb; do
+ createdb $db
+ psql $db -c "create extension sslinfo"
+done
+
+The username for connecting to postgres as specified in build.local.properties tests has to be "test".
+