Thread: Need a wee bit more info on PostgreSQL's SSL security options

Need a wee bit more info on PostgreSQL's SSL security options

From

Andreas

Date:

02 June 2007, 22:21:21

Hi,

I've got it so far:
Server-OS: Debian 3.1 sarge
PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version
available)

Following a tutorial (actually for OpenVPN as I didn't find any for PG
that goes beyond what is found in the main docu) I created a CA, server
and client certificate, updated postgresql.conf and pg_hba.conf, did a
restart of PG and connected from a windows box with pgAdmin.
NICE :)

Now as far as I see, even though I have my postgresql.crt+key in place,
I still have to provide username and password, right?

The server rejects my connection attempt if I move postgresql.crt+key
away. Thats to be expected.
Can I further check the security of the server? The aim will be to have
the port open to the Internet.

How can I check that PG accepts only keys produced by my CA?

What would be the correct  "Common Name"  of a client?

I read that the client can maintain a file  root.crt  to check the
identity of the db-server.
Is this the  root.crt  that sits in PG's data-directory or is it the
server.crt  ?

In the documentation there is a certificate-revocation-list-file mentioned.
I suspect this is to revoke a formerly granted key that got lost or is
owned by a person who shouldn't be allowed to access the dbms anymore.
How is this CRL file set up?


Is there a documentation, that covers those matters more deeply than
chapter 16.8 and 20.1 of PG's main documentation?
Especially the whole client-side topic is rather thin for a newbie.


Regards
Andreas

Re: Need a wee bit more info on PostgreSQL's SSL security options

From

Martijn van Oosterhout

Date:

03 June 2007, 09:48:18

On Sun, Jun 03, 2007 at 12:21:14AM +0200, Andreas wrote:
> Hi,
>
> I've got it so far:
> Server-OS: Debian 3.1 sarge
> PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version
> available)
>
> Following a tutorial (actually for OpenVPN as I didn't find any for PG
> that goes beyond what is found in the main docu) I created a CA, server
> and client certificate, updated postgresql.conf and pg_hba.conf, did a
> restart of PG and connected from a windows box with pgAdmin.
> NICE :)
>
> Now as far as I see, even though I have my postgresql.crt+key in place,
> I still have to provide username and password, right?

Yes. postgresql can check that the client provides valid certificates,
you cannot however yet authenticate with certificates.

> Can I further check the security of the server? The aim will be to have
> the port open to the Internet.

Try to connect without SSL?

> Is there a documentation, that covers those matters more deeply than
> chapter 16.8 and 20.1 of PG's main documentation?
> Especially the whole client-side topic is rather thin for a newbie.

There's 29.16:
http://www.postgresql.org/docs/8.2/interactive/libpq-ssl.html

As for CRL, I think that was only added after 8.1.

Other than that I don't know.

Hope this helps,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

Attachment

signature.asc