Thread: PostgreSQL configurable SSL key checking
Hi, I tried sending this mail to pgadmin, but nobody could find a solution to my problem. So I changed my problem into a suggestion and I was hoping I am at the right place for it here :-) -------- Original Message -------- Subject: Postgres using SSL connections Date: Thu, 25 Aug 2005 20:27:18 +0200 From: Simon de Hartog <simon.postgresql@dehartog.nl> To: pgsql-admin@postgresql.org Hi, I want to have Postgres use an SSL certificate for secure access by clients over the internet. I have a server that runs PostgreSQL and I have created my own Certificate Authority. I now have a certificate and corresponding private key in /etc/ssl. This pair is used without problems by: - Apache 2 - LDAP server - Sendmail - stunnel - VPN software I have added all the users these applications run as to a group called "ssl". Permissions on the private key are owned by root, group ssl, protection rw-r----- (640). When I tell PostgreSQL to use this key with certificate (by using symlinks from server.key and server.crt in the postgreSQL data dir) it tells me that owner and permissions are wrong. How can I use this certificate and key for PostgreSQL (without copying the key and changing owner and permissions etc, because then the whole idea of centrally coordinated certificates is gone)? I checked the archives. A lot of comments considering the unclear error messages in previous versions, this has been solved IMHO. Also some comments and patches to remove these checks, concluded by comments that they must remain. All in all, it still doesn't work for my situation. So my suggestion is: Would it be nice to have a configuration-file option to disable these checks? Maybe possibly even configurable locations of these files, instead of the defaults in the PostgreSQL data dir? Kind regards and thanks in advance, Simon de Hartog P.S. If you would like a patch, do you want it against 8.0.x or 8.1 beta (or both)? -- "From every point in life, there's a road that leads to where you want to go." E: simon <at-sign> dehartog <point> nl W: http://simon.dehartog.nl/ P: +31-6-15094709 M: simon_net <at-sign> rootsr <point> com I: 8714776 K: http://www.rootsr.com/simon.crt
Simon de Hartog <simon.postgresql@dehartog.nl> writes: > I have added all the users these applications run as to a group called > "ssl". Permissions on the private key are owned by root, group ssl, > protection rw-r----- (640). When I tell PostgreSQL to use this key with > certificate (by using symlinks from server.key and server.crt in the > postgreSQL data dir) it tells me that owner and permissions are wrong. > How can I use this certificate and key for PostgreSQL (without copying > the key and changing owner and permissions etc, because then the whole > idea of centrally coordinated certificates is gone)? You can't, and I don't see why it's a good idea to use the same key for different server applications. regards, tom lane
On Mon, Sep 05, 2005 at 09:03:06PM +0200, Simon de Hartog wrote: > I have added all the users these applications run as to a group called > "ssl". Permissions on the private key are owned by root, group ssl, > protection rw-r----- (640). When I tell PostgreSQL to use this key with > certificate (by using symlinks from server.key and server.crt in the > postgreSQL data dir) it tells me that owner and permissions are wrong. > > How can I use this certificate and key for PostgreSQL (without copying > the key and changing owner and permissions etc, because then the whole > idea of centrally coordinated certificates is gone)? Did you try using a hardlink instead of a symlink? -- Alvaro Herrera -- Valdivia, Chile Architect, www.EnterpriseDB.com "Ninguna manada de bestias tiene una voz tan horrible como la humana" (Orual)
On Mon, Sep 05, 2005 at 03:27:01PM -0400, Alvaro Herrera wrote: > On Mon, Sep 05, 2005 at 09:03:06PM +0200, Simon de Hartog wrote: > > > I have added all the users these applications run as to a group called > > "ssl". Permissions on the private key are owned by root, group ssl, > > protection rw-r----- (640). When I tell PostgreSQL to use this key with > > certificate (by using symlinks from server.key and server.crt in the > > postgreSQL data dir) it tells me that owner and permissions are wrong. > > Did you try using a hardlink instead of a symlink? Huh, sorry, of course it doesn't work. -- Alvaro Herrera -- Valdivia, Chile Architect, www.EnterpriseDB.com Syntax error: function hell() needs an argument. Please choose what hell you want to involve.
Alvaro Herrera <alvherre@alvh.no-ip.org> writes: > On Mon, Sep 05, 2005 at 09:03:06PM +0200, Simon de Hartog wrote: >> How can I use this certificate and key for PostgreSQL (without copying >> the key and changing owner and permissions etc, because then the whole >> idea of centrally coordinated certificates is gone)? > Did you try using a hardlink instead of a symlink? Won't help --- he's complaining about the stat() test on ownership and permissions of the private key file (in be-secure.c). stat looks through symlinks, so the answer will be the same. regards, tom lane