Thread: Fwd: ssl database connection problems...

Fwd: ssl database connection problems...

From
Carol Walter
Date:


Begin forwarded message:

From: Carol Walter <walterc@indiana.edu>
Date: December 31, 2008 11:16:01 AM GMT-05:00
To: Ray Stell <stellr@cns.vt.edu>
Subject: Re: [ADMIN] ssl database connection problems...

Sorry, I obviously am pretty clueless.

Thanks,
Carol

On Dec 31, 2008, at 10:09 AM, Ray Stell wrote:

On Wed, Dec 31, 2008 at 09:19:12AM -0500, Carol Walter wrote:
Here's the output from s_client & s_server commands...

# openssl s_client
connect: Connection refused
connect:errno=146

oh, I think you need to use some more flags.  Take a look at
this howto:  http://www.madboa.com/geek/openssl/

Here's the output from the s_client command...
walterc@iris:~$ openssl s_client -connect db.slis.indiana.edu:5433
CONNECTED(00000005)
9726:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:../../../../common/openssl/ssl/s23_lib.c:226:

On the web site you directed me to, the s_server command uses a file called 'mycert.pem'.  Do you know what the system expecting for this file?  I tried running it without having 'mycert.pem' created and got errors saying that it couldn't open the file, of course.  Anyway, here's the output I got from that command...

bash-3.00# openssl s_server -accept 443 -cert mycert.pem -WWW
Using default temp DH parameters
unable to get certificate from 'mycert.pem'
7408:error:02001002:system library:fopen:No such file or directory:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:104:fopen('mycert.pem','r')
7408:error:2006D080:BIO routines:BIO_new_file:no such file:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:107:
7408:error:02001002:system library:fopen:No such file or directory:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('mycert.pem','r')
7408:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/bio/bss_file.c:278:
7408:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:../../../../common/openssl/ssl/ssl_rsa.c:515:


I don't have a root.crt file.

# openssl  verify -CAfile ./root.crt testcert.pem

right, my file root.ca was self generated using openssl (I'm the CA).  It is
analogous to the CA chain you might buy from Thawte or some other trusted
authority.  It is the file that I used to sign my server crt file, testcrt.pem.
`
Yeah, you don't need it unless you want to auth a login with pg, but we
are not there yet.  You need to verify that openssl is not fubar first, right?


Best in 2009, everyone:  Carbon-free city under construction,   cool!

http://cosmos.bcst.yahoo.com/up/ynews;_ylt=AgPr9FSysEdu1cF5ydA9CPr737YB?ch=4226722&cl=11310260&lang=en


Re: Fwd: ssl database connection problems...

From
Ray Stell
Date:
On Wed, Dec 31, 2008 at 11:16:42AM -0500, Carol Walter wrote:
>> On the web site you directed me to, the s_server command uses a file
>> called 'mycert.pem'.  Do you know what the system expecting for this file?

It's just a file and you tell openssl where it is, where you put it
once it is created.  You request this file from your CA (certificate
authority) who will provide you with the root.crt, the public side of
the chain.  You can generate your own with openssl.   Here's a great
demo: http://www.madboa.com/geek/openssl/#cert


Re: ssl database connection problems...

From
Carol Walter
Date:
Well, back from the flu.  =P

How do I tell postgres where to look for ssl.  I've got both the new
and the original versions of openssl.  I don't want to remove the
original one because it's loaded on the global zone and I don't know
what other dependencies it might have.  Do I have to back everything
out and run ./configure again?  I don't see a parm in postgresql.conf.

Thanks,
Carol

On Dec 31, 2008, at 4:08 PM, Ray Stell wrote:

> On Wed, Dec 31, 2008 at 11:16:42AM -0500, Carol Walter wrote:
>>> On the web site you directed me to, the s_server command uses a file
>>> called 'mycert.pem'.  Do you know what the system expecting for
>>> this file?
>
> It's just a file and you tell openssl where it is, where you put it
> once it is created.  You request this file from your CA (certificate
> authority) who will provide you with the root.crt, the public side of
> the chain.  You can generate your own with openssl.   Here's a great
> demo: http://www.madboa.com/geek/openssl/#cert
>


Re: ssl database connection problems...

From
Ray Stell
Date:
./configure --prefix=/usr/local/pgsql826 --with-libraries=/usr/local/openssl/lib
--with-includes=/usr/local/openssl/include/ --with-openssl  


On Fri, Jan 09, 2009 at 03:47:54PM -0500, Carol Walter wrote:
> Well, back from the flu.  =P
>
> How do I tell postgres where to look for ssl.  I've got both the new and
> the original versions of openssl.  I don't want to remove the original one
> because it's loaded on the global zone and I don't know what other
> dependencies it might have.  Do I have to back everything out and run
> ./configure again?  I don't see a parm in postgresql.conf.
>
> Thanks,
> Carol
>
> On Dec 31, 2008, at 4:08 PM, Ray Stell wrote:
>
>> On Wed, Dec 31, 2008 at 11:16:42AM -0500, Carol Walter wrote:
>>>> On the web site you directed me to, the s_server command uses a file
>>>> called 'mycert.pem'.  Do you know what the system expecting for this
>>>> file?
>>
>> It's just a file and you tell openssl where it is, where you put it
>> once it is created.  You request this file from your CA (certificate
>> authority) who will provide you with the root.crt, the public side of
>> the chain.  You can generate your own with openssl.   Here's a great
>> demo: http://www.madboa.com/geek/openssl/#cert
>>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin

Re: ssl database connection problems...

From
Ray Stell
Date:
On Fri, Jan 09, 2009 at 04:08:00PM -0500, Ray Stell wrote:
> ./configure --prefix=/usr/local/pgsql826 --with-libraries=/usr/local/openssl/lib
--with-includes=/usr/local/openssl/include/ --with-openssl  
>
>
> On Fri, Jan 09, 2009 at 03:47:54PM -0500, Carol Walter wrote:
> > Well, back from the flu.  =P

sorry for the unsupported top post, I forgot where I was.

sorry about the flu, I did that the week of Dec 16.  I think
I lost some weight...


> > How do I tell postgres where to look for ssl.  I've got both the new and
> > the original versions of openssl.  I don't want to remove the original one

./configure --prefix=/usr/local/pgsql826 --with-libraries=/usr/local/openssl/lib
--with-includes=/usr/local/openssl/include/ --with-openssl