Thread: Refresh Postgres SSL certs?
Hello, In light of the "Heartbleed" OpenSSL bug[0,1], I'm wondering if I need to regenerate the SSL certs on my postgres installations[2] (at least the ones listening on more than localhost)? On Ubuntu it looks like there are symlinks at /var/lib/postgresql/9.1/main/server.{crt,key} pointing to /etc/ssl/private/ssl-cert-snakeoil.{pem,key}. Is there any documentation on how to regenerate these? Are they self-signed? Can I replace them with my own self-signed certs, like I'd do with Apache or Nginx? Thanks! Paul [0] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 [1] http://heartbleed.com/ [2] http://www.postgresql.org/docs/9.1/static/ssl-tcp.html -- _________________________________ Pulchritudo splendor veritatis.
On Wed, Apr 09, 2014 at 12:28:14PM -0700, Paul Jungwirth wrote: > Hello, > > In light of the "Heartbleed" OpenSSL bug[0,1], I'm wondering if I need > to regenerate the SSL certs on my postgres installations[2] (at least > the ones listening on more than localhost)? On Ubuntu it looks like > there are symlinks at /var/lib/postgresql/9.1/main/server.{crt,key} > pointing to /etc/ssl/private/ssl-cert-snakeoil.{pem,key}. Is there any > documentation on how to regenerate these? Are they self-signed? Can I > replace them with my own self-signed certs, like I'd do with Apache or > Nginx? Have you read the Debian README? /usr/share/doc/postgresql-*/README.Debian.gz It talks about how the certificates are made. It uses the ssl-cert package to make them, there's more docs there. Yes, you can make your own self-signed certs and use them. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > He who writes carelessly confesses thereby at the very outset that he does > not attach much importance to his own thoughts. -- Arthur Schopenhauer
Attachment
> Have you read the Debian README? > /usr/share/doc/postgresql-*/README.Debian.gz Thank you for pointing me to that file. From /etc/share/doc/ssl-cert/README it sounds like the old snakeoil cert is already self-signed, so that's promising. So I take it that psql and the postgres client library won't object to a self-signed cert. Do they do any kind of certificate pinning or other caching of the old cert? Or can I just replace the cert, restart the postgres server, and be done? Thanks, Paul -- _________________________________ Pulchritudo splendor veritatis.
On Wed, Apr 09, 2014 at 12:59:53PM -0700, Paul Jungwirth wrote: > > Have you read the Debian README? > > /usr/share/doc/postgresql-*/README.Debian.gz > > Thank you for pointing me to that file. From > /etc/share/doc/ssl-cert/README it sounds like the old snakeoil cert is > already self-signed, so that's promising. So I take it that psql and > the postgres client library won't object to a self-signed cert. Do > they do any kind of certificate pinning or other caching of the old > cert? Or can I just replace the cert, restart the postgres server, and > be done? No pinning, no caching. Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > He who writes carelessly confesses thereby at the very outset that he does > not attach much importance to his own thoughts. -- Arthur Schopenhauer