Re: PostgreSQL with SSL - Mailing list pgsql-admin
| From | Jose Berardo |
|---|---|
| Subject | Re: PostgreSQL with SSL |
| Date | |
| Msg-id | j2o9009a4451004151422r4cde72f4o868d4e7017cfab5b@mail.gmail.com Whole thread Raw |
| In response to | Re: PostgreSQL with SSL ("Martin Münstermann" <mmuenst@gmx.de>) |
| Responses |
Re: PostgreSQL with SSL
(Tom Lane <tgl@sss.pgh.pa.us>)
Re: PostgreSQL with SSL ("Martin Münstermann" <mmuenst@gmx.de>) |
| List | pgsql-admin |
Hello.
As I have told, I'm new on using PostgreSQL over SSL connections.
I have worked with SSL before, but I'm really far from being an expert about it.
Sorry for asking you before read all the documentation, I have looked for It in wrong pages and didn't find anything. After writing, I read a lot about this subject because I'm a teacher, PostgreSQL enthusiastic and I've started to write a tutorial about SSL.
Maybe my questions are the same of someone, so let me talk about them (thank you Bruce for the answers):
> > - There is any parameter to configure the path (and name) to certificate
> > (server.crt) and private key (server.key) like hba_file or ident_file in
> > postgresql.conf or any other?
>
> No, we only allow those fixed file names.
Sorry, the documentation told me this just after my precipitated question.
> > - Is it possible to store the server.key in a ciphered file with triple-des
> > and configure the PostgreSQL to use a simetric-key to open it when it's
> > necessary?
> > Maybe I'm wrong but my server only works with I plain private key.
>
> No.
I believe that it may be a good idea, it may bring another security level, I'm wrong?
Just saving the private key file inside the cluster with no privilegies for other users (the server suggests 0600 mask for it) is still sufficient to protected the key?
I believe that may be interesting the server, at start time, when reading the key, asks the administrator the password (e.g. a triple-des simetric key) the same way that OpenSSL asks when we need to generate de public key or generate crt or csr.
What do you think, Bruce?
> > I'm trying to use the java keytool in place of openssl.
> > - I believe that it not possible to start the PostgreSQL server without
> > openssl (and ssl-dev package in debian), is it correct?
>
> Yes, I don't think the java keytool works.
Oh, the documentation defeated me twice. The server reads the openssl configuration at start time too.
The keytool may be used only to generate the key pair and the certificate, but it can not export the private key from its keystore. You need another tool or to write a Java code to do that.
> > - When I create keys and certificates with keytool, it creates a java
> > keystore to store everything. I know how to export the certificate but I
> > don't know how to export the private key and when I use the keytool
> > certificate, the server crashes with this message:
> >
> > FATAL: could not load server certificate file "server.crt": no start line
> >
> > Sorry about too many questions, but anyone can help me to understand more
> > about ssl in PostgreSQL?
>
> Have you read the documentation about creating a server key?
>
> http://www.postgresql.org/docs/8.4/static/ssl-tcp.html
Thank you Bruce, but this question was about the format of the certificate generated by keytool.
I was missing the -rfc option when exporting the certificate.
Please friends, let me write an example here:
keytool -exportcert -alias myalias -file mycertificate.crt -keystore mykeystore.jks -storepass mypass -rfc
With the -rfc, the keytool prints out the certificate in accordance with the RFC 1421.
Martin, thank you too.
The PEM format is exactly the base64 encoded format in this RFC.
Thanks a lot,
--
Jose Berardo
--
Atenciosamente,
Jose Berardo
Especializa Treinamentos
www.especializa.com.br
+55 81 3465.0032
As I have told, I'm new on using PostgreSQL over SSL connections.
I have worked with SSL before, but I'm really far from being an expert about it.
Sorry for asking you before read all the documentation, I have looked for It in wrong pages and didn't find anything. After writing, I read a lot about this subject because I'm a teacher, PostgreSQL enthusiastic and I've started to write a tutorial about SSL.
Maybe my questions are the same of someone, so let me talk about them (thank you Bruce for the answers):
> > - There is any parameter to configure the path (and name) to certificate
> > (server.crt) and private key (server.key) like hba_file or ident_file in
> > postgresql.conf or any other?
>
> No, we only allow those fixed file names.
Sorry, the documentation told me this just after my precipitated question.
> > - Is it possible to store the server.key in a ciphered file with triple-des
> > and configure the PostgreSQL to use a simetric-key to open it when it's
> > necessary?
> > Maybe I'm wrong but my server only works with I plain private key.
>
> No.
I believe that it may be a good idea, it may bring another security level, I'm wrong?
Just saving the private key file inside the cluster with no privilegies for other users (the server suggests 0600 mask for it) is still sufficient to protected the key?
I believe that may be interesting the server, at start time, when reading the key, asks the administrator the password (e.g. a triple-des simetric key) the same way that OpenSSL asks when we need to generate de public key or generate crt or csr.
What do you think, Bruce?
> > I'm trying to use the java keytool in place of openssl.
> > - I believe that it not possible to start the PostgreSQL server without
> > openssl (and ssl-dev package in debian), is it correct?
>
> Yes, I don't think the java keytool works.
Oh, the documentation defeated me twice. The server reads the openssl configuration at start time too.
The keytool may be used only to generate the key pair and the certificate, but it can not export the private key from its keystore. You need another tool or to write a Java code to do that.
> > - When I create keys and certificates with keytool, it creates a java
> > keystore to store everything. I know how to export the certificate but I
> > don't know how to export the private key and when I use the keytool
> > certificate, the server crashes with this message:
> >
> > FATAL: could not load server certificate file "server.crt": no start line
> >
> > Sorry about too many questions, but anyone can help me to understand more
> > about ssl in PostgreSQL?
>
> Have you read the documentation about creating a server key?
>
> http://www.postgresql.org/docs/8.4/static/ssl-tcp.html
Thank you Bruce, but this question was about the format of the certificate generated by keytool.
I was missing the -rfc option when exporting the certificate.
Please friends, let me write an example here:
keytool -exportcert -alias myalias -file mycertificate.crt -keystore mykeystore.jks -storepass mypass -rfc
With the -rfc, the keytool prints out the certificate in accordance with the RFC 1421.
Martin, thank you too.
The PEM format is exactly the base64 encoded format in this RFC.
Thanks a lot,
--
Jose Berardo
On Thu, Apr 15, 2010 at 4:45 AM, "Martin Münstermann" <mmuenst@gmx.de> wrote:
Hello.It is important that the server.crt and server.key files are in so-called PEM format.
> > don't know how to export the private key and when I use the keytool
> > certificate, the server crashes with this message:
> >
> > FATAL: could not load server certificate file "server.crt": no start
> line
> >
> > Sorry about too many questions, but anyone can help me to understand
> more
> > about ssl in PostgreSQL?
>
> Have you read the documentation about creating a server key?
>
> http://www.postgresql.org/docs/8.4/static/ssl-tcp.html
So they have to be text files and look like:
-----BEGIN CERTIFICATE-----
<some base64 encoded data>
-----END CERTIFICATE-----
and
-----BEGIN RSA PRIVATE KEY-----
<some base64 encoded data>
-----END RSA PRIVATE KEY-----
This is the default format produced by openssl.
The private key format is also openssl-specific, so probably you are out of luck with keytool.
Regards,
Martin
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
--
Atenciosamente,
Jose Berardo
Especializa Treinamentos
www.especializa.com.br
+55 81 3465.0032
pgsql-admin by date: