Fwd: ssl database connection problems... - Mailing list pgsql-admin

From: Carol Walter <walterc@indiana.edu>

Date: December 31, 2008 11:16:01 AM GMT-05:00

To: Ray Stell <stellr@cns.vt.edu>

Subject: Re: [ADMIN] ssl database connection problems...

Sorry, I obviously am pretty clueless.

Thanks,
Carol

On Dec 31, 2008, at 10:09 AM, Ray Stell wrote:

On Wed, Dec 31, 2008 at 09:19:12AM -0500, Carol Walter wrote:

Here's the output from s_client & s_server commands...

# openssl s_client

connect: Connection refused

connect:errno=146

oh, I think you need to use some more flags.  Take a look at

this howto:  http://www.madboa.com/geek/openssl/

Here's the output from the s_client command...
walterc@iris:~$ openssl s_client -connect db.slis.indiana.edu:5433
CONNECTED(00000005)
9726:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:../../../../common/openssl/ssl/s23_lib.c:226:

On the web site you directed me to, the s_server command uses a file called 'mycert.pem'.  Do you know what the system expecting for this file?  I tried running it without having 'mycert.pem' created and got errors saying that it couldn't open the file, of course.  Anyway, here's the output I got from that command...

bash-3.00# openssl s_server -accept 443 -cert mycert.pem -WWW
Using default temp DH parameters
unable to get certificate from 'mycert.pem'
7408:error:02001002:system library:fopen:No such file or directory:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:104:fopen('mycert.pem','r')
7408:error:2006D080:BIO routines:BIO_new_file:no such file:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:107:
7408:error:02001002:system library:fopen:No such file or directory:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('mycert.pem','r')
7408:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:278:
7408:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:../../../../common/openssl/ssl/ssl_rsa.c:515:

I don't have a root.crt file.

# openssl  verify -CAfile ./root.crt testcert.pem

right, my file root.ca was self generated using openssl (I'm the CA).  It is

analogous to the CA chain you might buy from Thawte or some other trusted

authority.  It is the file that I used to sign my server crt file, testcrt.pem.

`

Yeah, you don't need it unless you want to auth a login with pg, but we

are not there yet.  You need to verify that openssl is not fubar first, right?

Best in 2009, everyone:  Carbon-free city under construction,   cool!

http://cosmos.bcst.yahoo.com/up/ynews;_ylt=AgPr9FSysEdu1cF5ydA9CPr737YB?ch=4226722&cl=11310260&lang=en