Thread: ssl woes after 8.1 -> 8.3 update

ssl woes after 8.1 -> 8.3 update

From

Ivan Sergio Borgonovo

Date:

16 October 2008, 14:30:01

Debian etch + backported postgresql

I just copied pg_hba.conf from 8.1 to 8.3.

on postgresql.conf
ssl=true
listen_addresses = '*'

symlinked root.crt -> /etc/ssl/certs/ssl-cert-snakeoil.pem

Error connecting to the server: could not open certificate file
"/home/ivan/.postgresql/postgresql.crt": No such file or directory

is there an howto to do things properly in spite of just trial and
errors?

I wouldn't like to come out with an absolutely insecure solution
after sweating ;)

snakeoil is not a very good premise.

thanks

--
Ivan Sergio Borgonovo
http://www.webthatworks.it

Re: ssl woes after 8.1 -> 8.3 update

From

Tomasz Myrta

Date:

16 October 2008, 17:01:01

Ivan Sergio Borgonovo napisal 16.10.2008 16:29:
> Debian etch + backported postgresql
>
> I just copied pg_hba.conf from 8.1 to 8.3.
>
> on postgresql.conf
> ssl=true
> listen_addresses = '*'
>
> symlinked root.crt -> /etc/ssl/certs/ssl-cert-snakeoil.pem

As described in documentation, giving "root.crt" to server means your
clients need client certificate to connect.


> Error connecting to the server: could not open certificate file
> "/home/ivan/.postgresql/postgresql.crt": No such file or directory

It looks like you don't have client certificate.

> is there an howto to do things properly in spite of just trial and
> errors?


This one should be enough:
http://www.postgresql.org/docs/current/interactive/ssl-tcp.html

You should either provide matching client certificate or remove root.crt
from server configuration.

--
Regards,
Tomasz Myrta

Re: ssl woes after 8.1 -> 8.3 update

From

Ivan Sergio Borgonovo

Date:

16 October 2008, 17:28:30

On Thu, 16 Oct 2008 18:51:55 +0200
Tomasz Myrta <jasiek@klaster.net> wrote:

> This one should be enough:
> http://www.postgresql.org/docs/current/interactive/ssl-tcp.html

I've found this:
http://quasiroot.wordpress.com/2007/07/22/postgresql-connectivity-with-jdbc-over-ssl/
and I got it working just a bit earlier than reading your email.

First connection with pgadmin3 looks slower than it used to be with
8.1.
pgadmin3 was configured to *require* ssl, so I think I was using ssl
even with 8.1, what could have been changed?
BTW... maybe it's just a temporary problem due to quality of
connection..

As soon as I've 5 spare minutes to rewrite it in a dumb-proof way and
I'll understand what I really did I may republish it on my website
so it would be easier for people to find guidelines.

> You should either provide matching client certificate or remove
> root.crt from server configuration.

What's actually going to happen if I kill root.crt?

thanks

--
Ivan Sergio Borgonovo
http://www.webthatworks.it