Thread: ssl
I'm using redhat 8.0 and postgresql 7.2.4 (rpm from postgresql.org). I want to enable ssl. I have edited postgresql.conf to ssl = true. I also follow the 7.3 manual (from postgresql.org) to create certificates and placed them in /var/lib/pgsql/data/. Then restart the server with /etc/init.d/postgresql restart. The result is [Failed]. What else should I do? Or procedure for 7.3 is different from 7.2.4? Or the rpm does not have ssl enabled when compile? -Jason
On Wed, 19 Mar 2003, pg wrote: > I'm using redhat 8.0 and postgresql 7.2.4 (rpm from postgresql.org). I want > to enable ssl. > > I have edited postgresql.conf to ssl = true. I also follow the 7.3 manual > (from postgresql.org) to create certificates and placed them in > /var/lib/pgsql/data/. Then restart the server with /etc/init.d/postgresql > restart. The result is [Failed]. What else should I do? Or procedure for 7.3 > is different from 7.2.4? Or the rpm does not have ssl enabled when compile? How does it fail? Just with a '[Failed]' message in the logs? I must say my non rpm installation doesn't seem to pick up the hostssl line in pg_hba. Or at least it doesn't match it when a connection comes in. I didn't get very far into looking into that so it's probably something I'm doing wrong. FWIW, my pg_hba entry is: hostssl all all xx.xx.xx.xx 255.255.255.240 md5 and the error I get is: FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc -- Nigel J. Andrews
"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> I must say my non rpm installation doesn't seem to pick up the hostssl line in
> pg_hba. Or at least it doesn't match it when a connection comes in. I didn't
> get very far into looking into that so it's probably something I'm doing wrong.
> FWIW, my pg_hba entry is:
> hostssl all all xx.xx.xx.xx 255.255.255.240 md5
> and the error I get is:
> FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc
I believe it would act that way if the incoming connection is non-SSL
(which suggests that your libpq isn't compiled with SSL support).
regards, tom lane
On Wed, 19 Mar 2003, Tom Lane wrote: > "Nigel J. Andrews" <nandrews@investsystems.co.uk> writes: > > I must say my non rpm installation doesn't seem to pick up the hostssl line in > > pg_hba. Or at least it doesn't match it when a connection comes in. I didn't > > get very far into looking into that so it's probably something I'm doing wrong. > > > FWIW, my pg_hba entry is: > > hostssl all all xx.xx.xx.xx 255.255.255.240 md5 > > and the error I get is: > > FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc > > I believe it would act that way if the incoming connection is non-SSL > (which suggests that your libpq isn't compiled with SSL support). Interesting you should say that because I know remember what happened, slap me with a wet fish later for the noise. I'm convinced I rebuilt on the workstation in order to get a libpq with ssl. I am equally convinced I tested it and it worked. Then a couple of days later trying to get the developers using Windows to be able to connect I looked at it again and I found my psql was no longer linked against the ssl library. Was very wierd. However, I never was able to get the developers connected. I may need to revisit that later. Sorry for the noise, my memory is going. -- Nigel Andrews
How is one supposed to connect to the SSL connection from script languages? Nigel J. Andrews wrote: > On Wed, 19 Mar 2003, pg wrote: > > >>I'm using redhat 8.0 and postgresql 7.2.4 (rpm from postgresql.org). I want >>to enable ssl. >> >>I have edited postgresql.conf to ssl = true. I also follow the 7.3 manual >>(from postgresql.org) to create certificates and placed them in >>/var/lib/pgsql/data/. Then restart the server with /etc/init.d/postgresql >>restart. The result is [Failed]. What else should I do? Or procedure for 7.3 >>is different from 7.2.4? Or the rpm does not have ssl enabled when compile? > > > How does it fail? Just with a '[Failed]' message in the logs? > > I must say my non rpm installation doesn't seem to pick up the hostssl line in > pg_hba. Or at least it doesn't match it when a connection comes in. I didn't > get very far into looking into that so it's probably something I'm doing wrong. > > FWIW, my pg_hba entry is: > > hostssl all all xx.xx.xx.xx 255.255.255.240 md5 > > and the error I get is: > > FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc > >
On Wed, 19 Mar 2003, Dennis Gearon wrote: > How is one supposed to connect to the SSL connection from script languages? > If they're using libpq which I believe the non pure perl interface does then it should be transparent if the client's libpq has been built with ssl enabled. The tcl interface uses libpq no doubt, I don't know about python but I don't see why it wouldn't and of course psql uses libpq so that's covered as well. ssh tunneling works I believe as well...indeed, trawling my memory again, may be that's what I had working and I never did rebuild the workstation's package with ssl. Oh well, there's that memory thing again. Nigel Andrews
Oh, my problem is My server doesn't even start, and there's no log about this start failure. Screen dump as below : ============ [root@local init.d]# ./postgresql start Starting postgresql service: [ FAILED ] ============ Does the postgresql contained in standard (from postgresql.org) compiled with ssl enabled? -Jason ----- Original Message ----- From: "Nigel J. Andrews" <nandrews@investsystems.co.uk> To: "pg" <pg@newhonest.com> Cc: <pgsql-general@postgresql.org> Sent: Wednesday, March 19, 2003 4:51 PM Subject: Re: [GENERAL] ssl > On Wed, 19 Mar 2003, pg wrote: > > > I'm using redhat 8.0 and postgresql 7.2.4 (rpm from postgresql.org). I want > > to enable ssl. > > > > I have edited postgresql.conf to ssl = true. I also follow the 7.3 manual > > (from postgresql.org) to create certificates and placed them in > > /var/lib/pgsql/data/. Then restart the server with /etc/init.d/postgresql > > restart. The result is [Failed]. What else should I do? Or procedure for 7.3 > > is different from 7.2.4? Or the rpm does not have ssl enabled when compile? > > How does it fail? Just with a '[Failed]' message in the logs? > > I must say my non rpm installation doesn't seem to pick up the hostssl line in > pg_hba. Or at least it doesn't match it when a connection comes in. I didn't > get very far into looking into that so it's probably something I'm doing wrong. > > FWIW, my pg_hba entry is: > > hostssl all all xx.xx.xx.xx 255.255.255.240 md5 > > and the error I get is: > > FATAL: No pg_hba.conf entry for host xx.xx.xx.xx, user vtc, database vtc > > > -- > Nigel J. Andrews >
On Thu, 2003-03-20 at 01:46, pg wrote:
> Oh, my problem is My server doesn't even start, and there's no log about
> this start failure. Screen dump as below :
>
> ============
> [root@local init.d]# ./postgresql start
> Starting postgresql service: [ FAILED ]
> ============
>
> Does the postgresql contained in standard (from postgresql.org) compiled
> with ssl enabled?
Find out thus:
$ ldd /usr/lib/postgresql/bin/postmaster
libpam.so.0 => /lib/libpam.so.0 (0x40023000)
libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x4002c000)
...
So in my case the answer is yes.
--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight, UK http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"Every good gift and every perfect gift is from above,
coming down from the Father of the heavenly lights,
who does not change like shifting shadows."
James 1:17
It is yes in my case too :
[root@local root]# ldd /usr/bin/postmaster
libpam.so.0 => /lib/libpam.so.0 (0x40023000)
libssl.so.2 => /lib/libssl.so.2 (0x4002c000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x4005c000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x40130000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x4018d000)
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x4019d000)
libz.so.1 => /usr/lib/libz.so.1 (0x4019f000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x401ae000)
libresolv.so.2 => /lib/libresolv.so.2 (0x401db000)
libnsl.so.1 => /lib/libnsl.so.1 (0x401ed000)
libdl.so.2 => /lib/libdl.so.2 (0x40203000)
libm.so.6 => /lib/libm.so.6 (0x40206000)
libreadline.so.4 => /usr/lib/libreadline.so.4 (0x40228000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x40255000)
libc.so.6 => /lib/libc.so.6 (0x40259000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
So what have I done wrong??
I turned ssl = on in postgresql.conf, and restart postgresql. It just
failed.
-Jason
----- Original Message -----
From: "Oliver Elphick" <olly@lfix.co.uk>
To: "pg" <pg@newhonest.com>
Cc: "Nigel J. Andrews" <nandrews@investsystems.co.uk>;
<pgsql-general@postgresql.org>
Sent: Sunday, March 23, 2003 1:45 AM
Subject: Re: [GENERAL] ssl
> On Thu, 2003-03-20 at 01:46, pg wrote:
> > Oh, my problem is My server doesn't even start, and there's no log about
> > this start failure. Screen dump as below :
> >
> > ============
> > [root@local init.d]# ./postgresql start
> > Starting postgresql service: [ FAILED ]
> > ============
> >
> > Does the postgresql contained in standard (from postgresql.org) compiled
> > with ssl enabled?
>
> Find out thus:
>
> $ ldd /usr/lib/postgresql/bin/postmaster
> libpam.so.0 => /lib/libpam.so.0 (0x40023000)
> libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x4002c000)
> ...
>
> So in my case the answer is yes.
>
>
> --
> Oliver Elphick Oliver.Elphick@lfix.co.uk
> Isle of Wight, UK http://www.lfix.co.uk/oliver
> GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
> ========================================
> "Every good gift and every perfect gift is from above,
> coming down from the Father of the heavenly lights,
> who does not change like shifting shadows."
> James 1:17
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>
"Jason" <pg@newhonest.com> writes:
> So what have I done wrong??
> I turned ssl = on in postgresql.conf, and restart postgresql. It just
> failed.
No error message? If so, look again (or more likely, look to see why
your start script is routing the postmaster's complaint to /dev/null).
My private bet is that you haven't set up the key/certificate files
needed by SSL, but there's not much use in guessing about it. First
thing you need is to be able to say something more concrete than "it
just failed".
regards, tom lane
Hi Tom, I've followed strictly as suggested by techdoc to create certs(server.crt, server.key, server.req). The only two factors I'm not sure are : 1. where should I put those certs. I've put them in /var/lib/pgsql/data, where postgresql.conf sitting. 2. what user rights should the certs be. The ones I have now are already anybody readable. After setting the above and ssl = on in postgresql.conf, I restart the server with /etc/init.d/postgresql restart, it failled with no logging in pgsql (which is logging all local0), or message.log (the system log). -Jason ----- Original Message ----- From: "Tom Lane" <tgl@sss.pgh.pa.us> To: "Jason" <pg@newhonest.com> Cc: "Oliver Elphick" <olly@lfix.co.uk>; "Nigel J. Andrews" <nandrews@investsystems.co.uk>; <pgsql-general@postgresql.org> Sent: Monday, March 24, 2003 1:47 AM Subject: Re: [GENERAL] ssl > "Jason" <pg@newhonest.com> writes: > > So what have I done wrong?? > > I turned ssl = on in postgresql.conf, and restart postgresql. It just > > failed. > > No error message? If so, look again (or more likely, look to see why > your start script is routing the postmaster's complaint to /dev/null). > > My private bet is that you haven't set up the key/certificate files > needed by SSL, but there's not much use in guessing about it. First > thing you need is to be able to say something more concrete than "it > just failed". > > regards, tom lane > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org >
Sorry for making this trouble. I chmod postgres.postgres server.*, and the server started normally. Thanks for help. -Jason ----- Original Message ----- From: "pg" <pg@newhonest.com> To: "Tom Lane" <tgl@sss.pgh.pa.us> Cc: "Oliver Elphick" <olly@lfix.co.uk>; "Nigel J. Andrews" <nandrews@investsystems.co.uk>; <pgsql-general@postgresql.org> Sent: Monday, March 24, 2003 11:26 AM Subject: Re: [GENERAL] ssl > Hi Tom, > > I've followed strictly as suggested by techdoc to create certs(server.crt, > server.key, server.req). The only two factors I'm not sure are : > 1. where should I put those certs. I've put them in /var/lib/pgsql/data, > where postgresql.conf sitting. > 2. what user rights should the certs be. The ones I have now are already > anybody readable. > > After setting the above and ssl = on in postgresql.conf, I restart the > server with /etc/init.d/postgresql restart, it failled with no logging in > pgsql (which is logging all local0), or message.log (the system log). > > -Jason > > ----- Original Message ----- > From: "Tom Lane" <tgl@sss.pgh.pa.us> > To: "Jason" <pg@newhonest.com> > Cc: "Oliver Elphick" <olly@lfix.co.uk>; "Nigel J. Andrews" > <nandrews@investsystems.co.uk>; <pgsql-general@postgresql.org> > Sent: Monday, March 24, 2003 1:47 AM > Subject: Re: [GENERAL] ssl > > > > "Jason" <pg@newhonest.com> writes: > > > So what have I done wrong?? > > > I turned ssl = on in postgresql.conf, and restart postgresql. It just > > > failed. > > > > No error message? If so, look again (or more likely, look to see why > > your start script is routing the postmaster's complaint to /dev/null). > > > > My private bet is that you haven't set up the key/certificate files > > needed by SSL, but there's not much use in guessing about it. First > > thing you need is to be able to say something more concrete than "it > > just failed". > > > > regards, tom lane > > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly >