Re: stunnel with just postgresql client part - Mailing list pgsql-general

From Merlin Moncure
Subject Re: stunnel with just postgresql client part
Date
Msg-id BANLkTi=vmj5q_hbwEx6nMRvxXrTWT5J=ng@mail.gmail.com
Whole thread Raw
In response to Re: stunnel with just postgresql client part  (zhong ming wu <mr.z.m.wu@gmail.com>)
Responses Re: stunnel with just postgresql client part
List pgsql-general
On Mon, May 9, 2011 at 7:17 PM, zhong ming wu <mr.z.m.wu@gmail.com> wrote:
> On Mon, May 9, 2011 at 6:42 PM, Merlin Moncure <mmoncure@gmail.com> wrote:
>>> Thanks.  Yes, when I installed the latest stunnel-4.36 it works.
>>>
>>> One strange thing I notice.  When I do ssl connect with psql I am
>>> supposed to get a message like
>>>
>>> SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
>>>
>>> With client side stunnel and (nonssl capable) psql I am not getting
>>> this message.  But still the connection seems to be ssl..
>>
>> it is? try setting up your connection string to require ssl.
>>
>
>
> I assume it is because in pg_hba.conf "hostssl" is specified for this
> client ip/user/database.  Plus I check ps output on the server during
> the connection and postgres server reports that connection is from the
> ip address specified in pg_hba.conf
>
> Here is what I tried
> ---------------
> PGSSLMODE=require bin/psql -h 127.0.0.1 -U xmpp xmpp
> psql: server does not support SSL, but SSL was required
> --------------
>
> Just so I don't get confused between multiple lines in pg_hba.conf I
> also deleted all other lines in it and retested.  Assuming postgres
> server is correctly applying the restrictions in pg_hba.conf, and
> assuming the out put of "ps" is reliable then I am doing an ssl
> connection but somehow psql does not think so and does not work unless
> I drop PGSSLMODE=require

Now manybe *I'm* a little confused.  Are you connecting to the write
port (stunnel's secure port)? As I understand it, the stunnel pgsql
protocol is such that the client side libpq application can connect to
stunnel which unwraps the encrypted data and connects w/o ssl to
postgres.  From the server's point of view, the connection should be
unencrypted and from the client's it should remain encrypted.

I can think of two reasons why you would want to do this:
*) pgbouncer, or a some other connection pooler type piece of software
that does not support ssl
*) for loading purposes you are trying to keep all
encryption/decryption off the main server.

merlin

pgsql-general by date:

Previous
From: Iain Barnett
Date:
Subject: Re: pg_upgrade only to 9.0 ?
Next
From: Noah Misch
Date:
Subject: Re: "interval hour to minute" or "interval day to minute"