Thread: Fwd: ssl database connection problems...
Begin forwarded message:
From: Carol Walter <walterc@indiana.edu>Date: December 31, 2008 11:16:01 AM GMT-05:00To: Ray Stell <stellr@cns.vt.edu>Subject: Re: [ADMIN] ssl database connection problems...Sorry, I obviously am pretty clueless.
Thanks,
Carol
On Dec 31, 2008, at 10:09 AM, Ray Stell wrote:On Wed, Dec 31, 2008 at 09:19:12AM -0500, Carol Walter wrote:Here's the output from s_client & s_server commands...# openssl s_clientconnect: Connection refusedconnect:errno=146oh, I think you need to use some more flags. Take a look atthis howto: http://www.madboa.com/geek/openssl/Here's the output from the s_client command...
walterc@iris:~$ openssl s_client -connect db.slis.indiana.edu:5433
CONNECTED(00000005)
9726:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:../../../../common/openssl/ssl/s23_lib.c:226:
On the web site you directed me to, the s_server command uses a file called 'mycert.pem'. Do you know what the system expecting for this file? I tried running it without having 'mycert.pem' created and got errors saying that it couldn't open the file, of course. Anyway, here's the output I got from that command...
bash-3.00# openssl s_server -accept 443 -cert mycert.pem -WWW
Using default temp DH parameters
unable to get certificate from 'mycert.pem'
7408:error:02001002:system library:fopen:No such file or directory:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:104:fopen('mycert.pem','r')
7408:error:2006D080:BIO routines:BIO_new_file:no such file:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:107:
7408:error:02001002:system library:fopen:No such file or directory:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('mycert.pem','r')
7408:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:278:
7408:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:../../../../common/openssl/ssl/ssl_rsa.c:515:I don't have a root.crt file.# openssl verify -CAfile ./root.crt testcert.pemright, my file root.ca was self generated using openssl (I'm the CA). It isanalogous to the CA chain you might buy from Thawte or some other trustedauthority. It is the file that I used to sign my server crt file, testcrt.pem.`Yeah, you don't need it unless you want to auth a login with pg, but weare not there yet. You need to verify that openssl is not fubar first, right?Best in 2009, everyone: Carbon-free city under construction, cool!http://cosmos.bcst.yahoo.com/up/ynews;_ylt=AgPr9FSysEdu1cF5ydA9CPr737YB?ch=4226722&cl=11310260&lang=en
On Wed, Dec 31, 2008 at 11:16:42AM -0500, Carol Walter wrote: >> On the web site you directed me to, the s_server command uses a file >> called 'mycert.pem'. Do you know what the system expecting for this file? It's just a file and you tell openssl where it is, where you put it once it is created. You request this file from your CA (certificate authority) who will provide you with the root.crt, the public side of the chain. You can generate your own with openssl. Here's a great demo: http://www.madboa.com/geek/openssl/#cert
Well, back from the flu. =P How do I tell postgres where to look for ssl. I've got both the new and the original versions of openssl. I don't want to remove the original one because it's loaded on the global zone and I don't know what other dependencies it might have. Do I have to back everything out and run ./configure again? I don't see a parm in postgresql.conf. Thanks, Carol On Dec 31, 2008, at 4:08 PM, Ray Stell wrote: > On Wed, Dec 31, 2008 at 11:16:42AM -0500, Carol Walter wrote: >>> On the web site you directed me to, the s_server command uses a file >>> called 'mycert.pem'. Do you know what the system expecting for >>> this file? > > It's just a file and you tell openssl where it is, where you put it > once it is created. You request this file from your CA (certificate > authority) who will provide you with the root.crt, the public side of > the chain. You can generate your own with openssl. Here's a great > demo: http://www.madboa.com/geek/openssl/#cert >
./configure --prefix=/usr/local/pgsql826 --with-libraries=/usr/local/openssl/lib --with-includes=/usr/local/openssl/include/ --with-openssl On Fri, Jan 09, 2009 at 03:47:54PM -0500, Carol Walter wrote: > Well, back from the flu. =P > > How do I tell postgres where to look for ssl. I've got both the new and > the original versions of openssl. I don't want to remove the original one > because it's loaded on the global zone and I don't know what other > dependencies it might have. Do I have to back everything out and run > ./configure again? I don't see a parm in postgresql.conf. > > Thanks, > Carol > > On Dec 31, 2008, at 4:08 PM, Ray Stell wrote: > >> On Wed, Dec 31, 2008 at 11:16:42AM -0500, Carol Walter wrote: >>>> On the web site you directed me to, the s_server command uses a file >>>> called 'mycert.pem'. Do you know what the system expecting for this >>>> file? >> >> It's just a file and you tell openssl where it is, where you put it >> once it is created. You request this file from your CA (certificate >> authority) who will provide you with the root.crt, the public side of >> the chain. You can generate your own with openssl. Here's a great >> demo: http://www.madboa.com/geek/openssl/#cert >> > > > -- > Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-admin
On Fri, Jan 09, 2009 at 04:08:00PM -0500, Ray Stell wrote: > ./configure --prefix=/usr/local/pgsql826 --with-libraries=/usr/local/openssl/lib --with-includes=/usr/local/openssl/include/ --with-openssl > > > On Fri, Jan 09, 2009 at 03:47:54PM -0500, Carol Walter wrote: > > Well, back from the flu. =P sorry for the unsupported top post, I forgot where I was. sorry about the flu, I did that the week of Dec 16. I think I lost some weight... > > How do I tell postgres where to look for ssl. I've got both the new and > > the original versions of openssl. I don't want to remove the original one ./configure --prefix=/usr/local/pgsql826 --with-libraries=/usr/local/openssl/lib --with-includes=/usr/local/openssl/include/ --with-openssl