Thread: Re: [ADMIN] Connecting via SSL not working (except from psql)
Hi! SSL is not enabled at connection time in pgsql - it is negotiatied with the postmaster, and enabled later. You need to send a correctly formatted start message in clear text to the postmaster to initiate the SSL negotiation first, and turn on SSL after that (assuming the postmaster reports that SSL is Ok). This is done so the postmaster can listen for both SSL and non-SSL connections on the same port. Take a look at how libpq does it. In 7.1.3, it starts at line 963 in interfaces/libpq/fe-connect.c. (Sorry, don't have the source to a newer version around right now - look for comment on 'Attempt to negotiate SSL usage'). //Magnus > -----Original Message----- > From: Paul Legato [mailto:plegato@nks.net] > Sent: Tuesday, August 06, 2002 5:47 PM > To: pgsql-admin@postgresql.org > Cc: pgsql-jdbc@postgresql.org > Subject: [ADMIN] Connecting via SSL not working (except from psql) > > > Hi, > > I'm trying to connect to SSL-enabled Postgres (started with > -i -l) using > both the openssl command line utility and with a modified JDBC driver > using the built in JSSE API from Java 1.4. > > If I attempt to connect from a shell with the openssl test > utility, I get: > > $ openssl s_client -connect localhost:5432 > CONNECTED(00000003) > 25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:s23_clnt.c:460: > > With the JDBC driver, at connection I get: > > javax.net.ssl.SSLException: Unrecognized SSL message, > plaintext connection? > > In both cases, the server logs the message "FATAL 1: invalid > length of > startup packet". > > A connection to the server with psql works fine, and prints "SSL > connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried > manually specifying this cipher to openssl, which does not change the > result. > > I'm stuck. Any suggestions or pointers will be greatly appreciated. :) > > Thanks, > -Paul > > > ---------------------------(end of > broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an > appropriate subscribe-nomail command to > majordomo@postgresql.org so that your message can get through > to the mailing list cleanly >
Hi Magnus, Thanks for the help. I'll take a look at fe-connect.c and see if I can get my JDBC driver working. Is anyone within the Postgres project currently adding SSL support to JDBC? Anyone interested in the patches once I get everything working? -Paul Magnus Hagander wrote: > Hi! > > SSL is not enabled at connection time in pgsql - it is negotiatied with > the postmaster, and enabled later. You need to send a correctly > formatted start message in clear text to the postmaster to initiate the > SSL negotiation first, and turn on SSL after that (assuming the > postmaster reports that SSL is Ok). > This is done so the postmaster can listen for both SSL and non-SSL > connections on the same port. > > Take a look at how libpq does it. In 7.1.3, it starts at line 963 in > interfaces/libpq/fe-connect.c. > (Sorry, don't have the source to a newer version around right now - look > for comment on 'Attempt to negotiate SSL usage'). > > //Magnus > > >>-----Original Message----- >>From: Paul Legato [mailto:plegato@nks.net] >>Sent: Tuesday, August 06, 2002 5:47 PM >>To: pgsql-admin@postgresql.org >>Cc: pgsql-jdbc@postgresql.org >>Subject: [ADMIN] Connecting via SSL not working (except from psql) >> >> >>Hi, >> >>I'm trying to connect to SSL-enabled Postgres (started with >>-i -l) using >>both the openssl command line utility and with a modified JDBC driver >>using the built in JSSE API from Java 1.4. >> >>If I attempt to connect from a shell with the openssl test >>utility, I get: >> >>$ openssl s_client -connect localhost:5432 >>CONNECTED(00000003) >>25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >>protocol:s23_clnt.c:460: >> >>With the JDBC driver, at connection I get: >> >>javax.net.ssl.SSLException: Unrecognized SSL message, >>plaintext connection? >> >>In both cases, the server logs the message "FATAL 1: invalid >>length of >>startup packet". >> >>A connection to the server with psql works fine, and prints "SSL >>connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried >>manually specifying this cipher to openssl, which does not change the >>result. >> >>I'm stuck. Any suggestions or pointers will be greatly appreciated. :) >> >>Thanks, >>-Paul >> >> >>---------------------------(end of >>broadcast)--------------------------- >>TIP 3: if posting/reading through Usenet, please send an >>appropriate subscribe-nomail command to >>majordomo@postgresql.org so that your message can get through >>to the mailing list cleanly >> >
We are certainly interested in any patches once you are done. I don't know about anyone else that is working on this currently. thanks, --Barry Paul Legato wrote: > Hi Magnus, > > Thanks for the help. I'll take a look at fe-connect.c and see if I can > get my JDBC driver working. > > Is anyone within the Postgres project currently adding SSL support to > JDBC? Anyone interested in the patches once I get everything working? > > -Paul > > > Magnus Hagander wrote: > >> Hi! >> >> SSL is not enabled at connection time in pgsql - it is negotiatied with >> the postmaster, and enabled later. You need to send a correctly >> formatted start message in clear text to the postmaster to initiate the >> SSL negotiation first, and turn on SSL after that (assuming the >> postmaster reports that SSL is Ok). >> This is done so the postmaster can listen for both SSL and non-SSL >> connections on the same port. >> >> Take a look at how libpq does it. In 7.1.3, it starts at line 963 in >> interfaces/libpq/fe-connect.c. (Sorry, don't have the source to a >> newer version around right now - look >> for comment on 'Attempt to negotiate SSL usage'). >> >> //Magnus >> >> >>> -----Original Message----- >>> From: Paul Legato [mailto:plegato@nks.net] Sent: Tuesday, August 06, >>> 2002 5:47 PM >>> To: pgsql-admin@postgresql.org >>> Cc: pgsql-jdbc@postgresql.org >>> Subject: [ADMIN] Connecting via SSL not working (except from psql) >>> >>> >>> Hi, >>> >>> I'm trying to connect to SSL-enabled Postgres (started with -i -l) >>> using both the openssl command line utility and with a modified JDBC >>> driver using the built in JSSE API from Java 1.4. >>> >>> If I attempt to connect from a shell with the openssl test utility, >>> I get: >>> >>> $ openssl s_client -connect localhost:5432 >>> CONNECTED(00000003) >>> 25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >>> protocol:s23_clnt.c:460: >>> >>> With the JDBC driver, at connection I get: >>> >>> javax.net.ssl.SSLException: Unrecognized SSL message, plaintext >>> connection? >>> >>> In both cases, the server logs the message "FATAL 1: invalid length >>> of startup packet". >>> >>> A connection to the server with psql works fine, and prints "SSL >>> connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried >>> manually specifying this cipher to openssl, which does not change >>> the result. >>> >>> I'm stuck. Any suggestions or pointers will be greatly appreciated. :) >>> >>> Thanks, >>> -Paul >>> >>> >>> ---------------------------(end of >>> broadcast)--------------------------- >>> TIP 3: if posting/reading through Usenet, please send an appropriate >>> subscribe-nomail command to majordomo@postgresql.org so that your >>> message can get through to the mailing list cleanly >>> >> > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org >