Thread: SSL

SSL

From

Tom Allison

Date:

19 November 2006, 14:34:30

how do I override the SSL option?

2006-11-19 10:30:20 EST 4974 [unknown] LOG:  connection received: host=127.0.0.1
port=32785
2006-11-19 10:30:20 EST 4974 [unknown] LOG:  could not accept SSL connection:
EOF detected
2006-11-19 10:30:29 EST 4981 [unknown] LOG:  connection received: host=127.0.0.1
port=32789
2006-11-19 10:30:31 EST 4981 dbmail LOG:  connection authorized: user=dbmail dat
abase=dbmail
2006-11-19 10:30:35 EST 4987 [unknown] LOG:  connection received: host=127.0.0.1
port=32794
2006-11-19 10:30:35 EST 4987 [unknown] LOG:  could not accept SSL connection:
EOF detected
2006-11-19 10:30:35 EST 4990 [unknown] LOG:  connection received: host=127.0.0.1
port=32797



I would prefer that 127.0.0.1 take non-SSL and all others take SSL only.


The following doesn't work:

host    dbmail      all         127.0.0.1/32          md5
hostssl dbmail      postfix     127.0.0.1/32          reject
hostssl all         all         192.168.1.0/24        md5
hostssl all         all         192.168.0.0/24        md5

Re: SSL

From

Richard Broersma Jr

Date:

19 November 2006, 15:30:26

> how do I override the SSL option?
>
> 2006-11-19 10:30:20 EST 4974 [unknown] LOG:  connection received: host=127.0.0.1
> port=32785
> 2006-11-19 10:30:20 EST 4974 [unknown] LOG:  could not accept SSL connection:
> EOF detected
>
> I would prefer that 127.0.0.1 take non-SSL and all others take SSL only.
>
> The following doesn't work:
>
> host    dbmail      all         127.0.0.1/32          md5
> hostssl dbmail      postfix     127.0.0.1/32          reject
> hostssl all         all         192.168.1.0/24        md5
> hostssl all         all         192.168.0.0/24        md5
>

According to your error message, your client/frontend is trying to connect using ssl and your
postgresql server is not accepting it.  Also, could could configure the 127.0.0.1/32 connections
as local instead of host.  This way you will be connected throught Unix-domain sockets rather than
tcp/ip ports and you will not need SSL support for local connections anyway.

However, according the postgresql manual, for a pg server to accept ssl connections the server
must be build with support for SSL and its pg_hba.conf file must be configured properly.

http://www.postgresql.org/docs/8.2/interactive/auth-pg-hba-conf.html

hostssl
This record matches connection attempts made using TCP/IP, but only when the connection is made
with SSL encryption.

To make use of this option the server must be built with SSL support. Furthermore, SSL must be
enabled at server start time by setting the ssl configuration parameter (see Section 16.7 for more
information).


Regards,

Richard Broersma Jr.

Re: SSL

From

Tom Allison

Date:

19 November 2006, 15:33:52

Richard Broersma Jr wrote:
>> how do I override the SSL option?
>>
>> 2006-11-19 10:30:20 EST 4974 [unknown] LOG:  connection received: host=127.0.0.1
>> port=32785
>> 2006-11-19 10:30:20 EST 4974 [unknown] LOG:  could not accept SSL connection:
>> EOF detected
>>
>> I would prefer that 127.0.0.1 take non-SSL and all others take SSL only.
>>
>> The following doesn't work:
>>
>> host    dbmail      all         127.0.0.1/32          md5
>> hostssl dbmail      postfix     127.0.0.1/32          reject
>> hostssl all         all         192.168.1.0/24        md5
>> hostssl all         all         192.168.0.0/24        md5
>>
>
> According to your error message, your client/frontend is trying to connect using ssl and your
> postgresql server is not accepting it.  Also, could could configure the 127.0.0.1/32 connections
> as local instead of host.  This way you will be connected throught Unix-domain sockets rather than
> tcp/ip ports and you will not need SSL support for local connections anyway.
>
> However, according the postgresql manual, for a pg server to accept ssl connections the server
> must be build with support for SSL and its pg_hba.conf file must be configured properly.
>
> http://www.postgresql.org/docs/8.2/interactive/auth-pg-hba-conf.html
>
> hostssl
> This record matches connection attempts made using TCP/IP, but only when the connection is made
> with SSL encryption.
>
> To make use of this option the server must be built with SSL support. Furthermore, SSL must be
> enabled at server start time by setting the ssl configuration parameter (see Section 16.7 for more
> information).
>

I've been using SSL connections all week long on this box.

The logs in postgresql are actually saying the opposite.  the connection is
being made as an SSL and the client can't support it.  I'm trying to downgrade
the connection to a nossl connection if I can't do anything else.

As for local sockets -- not supported by this particular client (postfix).

Re: SSL

From

Richard Broersma Jr

Date:

19 November 2006, 15:39:19

> >> how do I override the SSL option?
> I've been using SSL connections all week long on this box.
>
> The logs in postgresql are actually saying the opposite.  the connection is
> being made as an SSL and the client can't support it.  I'm trying to downgrade
> the connection to a nossl connection if I can't do anything else.
>
> As for local sockets -- not supported by this particular client (postfix).

If you don't get a good answer on this list you might try: pgsql-general@postgresql.org since it
has a larger/more experienced user base.

Regards,

Richard Broersma Jr.

Re: SSL

From

Jim Nasby

Date:

28 November 2006, 05:24:45

On Nov 19, 2006, at 10:33 AM, Tom Allison wrote:
> As for local sockets -- not supported by this particular client
> (postfix).

Actually, I suspect that postfix is just using libpq, which means it
can make a local socket connection unless postfix is overly pedantic
about connection settings (see my other reply about using
pg_service.conf).
--
Jim Nasby                                            jim@nasby.net
EnterpriseDB      http://enterprisedb.com      512.569.9461 (cell)