Thread: using a .postgresql/root.crt

using a .postgresql/root.crt

From
Brandon Craig Rhodes
Date:
I now have SSL encryption working between psql and my PostgreSQL
server, but want to enable client verification of the server's SSL
certificate (and eventually vice-versa).

My problem is that when I copy my root.crt certificate into my
.postgresql directory, I am given the error:

    psql: unrecognized SSL error code

which I find terribly uninformative.  Adding the code

                          {
                            char buf[256];
                            ERR_error_string(SSL_get_error(conn->ssl, r),
                                             buf);
                            printf("%s\n", buf);
                          }

around line 928 in fe-secure.c shows me:

    error:00000004:lib(0):func(0):nested asn1 error

Has anyone else had problems getting certificate checking to work?
Feel free to suggest any commands with which I could explore with the
openssl command line tool whether my root certificate is really
legible and valid; the command

    /usr/local/ssl/bin/openssl verify < root.crt

gives me the notice

    error 18 at 0 depth lookup:self signed certificate

as one would expect, but nothing about not being able to parse the
certificate itself.

--
Brandon Craig Rhodes                         http://www.rhodesmill.org/brandon
Georgia Tech                                            brandon@oit.gatech.edu

Re: using a .postgresql/root.crt

From
Brandon Craig Rhodes
Date:
Brandon Craig Rhodes <brandon@oit.gatech.edu> writes:

> I now have SSL encryption working between psql and my PostgreSQL
> server, but want to enable client verification of the server's SSL
> certificate (and eventually vice-versa).

The problem of which I spoke has mysteriously but happily resolved
itself; the client now refuses to connect to the server unless
presented with an SSL certificate that can be verified using the
root.crt in my ~/.postgresql directory on the client.

My follow-up question: I now want the server to be able to verify the
client's identity.  But after giving the server my root.crt, where do
I put the certificate that the client should present to the server?

--
Brandon Craig Rhodes                         http://www.rhodesmill.org/brandon
Georgia Tech                                            brandon@oit.gatech.edu