Thread: strange SSL msg
Hi list, I followed the http://www.howtoforge.com/postgresql-ssl-certificates HOWTO and succeeded to install SSL certificates (although pg_hba.conf line should be: hostssl mydb myuser 0.0.0.0/0 cert (and not trust).) As I didn't already test revocation, I made a: touch root.crl but at svr start I've got these 2 log lines: SSL certificate revocation list file "root.crl" not found, \ skipping: no SSL error reported Certificates will not be checked against revocation list. Is this behavior normal or not? JY --
"Jean-Yves F. Barbier" <12ukwn@gmail.com> writes: > I followed the http://www.howtoforge.com/postgresql-ssl-certificates HOWTO > and succeeded to install SSL certificates (although pg_hba.conf line should > be: hostssl mydb myuser 0.0.0.0/0 cert (and not trust).) > As I didn't already test revocation, I made a: touch root.crl but at svr > start I've got these 2 log lines: > SSL certificate revocation list file "root.crl" not found, \ > skipping: no SSL error reported > Certificates will not be checked against revocation list. > Is this behavior normal or not? Hmmm ... I don't see that here, on a Fedora 13 machine (openssl-1.0.0d). It appears from the message that X509_STORE_load_locations is returning zero but not bothering to set up an OpenSSL error message. It's not entirely surprising that they might consider an empty file as an error, perhaps; but I'm thinking this might be a bug that's fixed in newer OpenSSL releases. regards, tom lane
On Mon, 30 May 2011 23:06:18 -0400, Tom Lane <tgl@sss.pgh.pa.us> wrote: > "Jean-Yves F. Barbier" <12ukwn@gmail.com> writes: > > I followed the http://www.howtoforge.com/postgresql-ssl-certificates HOWTO > > and succeeded to install SSL certificates (although pg_hba.conf line should > > be: hostssl mydb myuser 0.0.0.0/0 cert (and not trust).) > > > As I didn't already test revocation, I made a: touch root.crl but at svr > > start I've got these 2 log lines: > > SSL certificate revocation list file "root.crl" not found, \ > > skipping: no SSL error reported > > Certificates will not be checked against revocation list. > > > Is this behavior normal or not? > > Hmmm ... I don't see that here, on a Fedora 13 machine (openssl-1.0.0d). Oops, sorry I forgot to tell I'm under Debian sid. > It appears from the message that X509_STORE_load_locations is returning > zero but not bothering to set up an OpenSSL error message. It's not > entirely surprising that they might consider an empty file as an error, No, it is pure missing: I copied the client certificate id (generated in root.srl) into root.crl and still nothing, I also tested a copy of this file (instead a symlink) into /var/lib/postgresql/9.0/main/, and in /var/lib/postgresql/ (Debian postgres user home) and also into /var/lib/postgresql/.postgresql/ ! > perhaps; but I'm thinking this might be a bug that's fixed in newer > OpenSSL releases. It may be that, as sid is unstable... JY --
"Jean-Yves F. Barbier" <12ukwn@gmail.com> writes:
> On Mon, 30 May 2011 23:06:18 -0400, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> It appears from the message that X509_STORE_load_locations is returning
>> zero but not bothering to set up an OpenSSL error message. It's not
>> entirely surprising that they might consider an empty file as an error,
> No, it is pure missing:
> I copied the client certificate id (generated in root.srl) into root.crl
> and still nothing,
> I also tested a copy of this file (instead a symlink) into
> /var/lib/postgresql/9.0/main/,
> and in /var/lib/postgresql/ (Debian postgres user home)
> and also into /var/lib/postgresql/.postgresql/ !
The file is supposed to be in $PGDATA. Random other locations will
definitely *not* work.
regards, tom lane
On Mon, 30 May 2011 23:56:54 -0400, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> "Jean-Yves F. Barbier" <12ukwn@gmail.com> writes:
> > On Mon, 30 May 2011 23:06:18 -0400, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> >> It appears from the message that X509_STORE_load_locations is returning
> >> zero but not bothering to set up an OpenSSL error message. It's not
> >> entirely surprising that they might consider an empty file as an error,
>
> > No, it is pure missing:
> > I copied the client certificate id (generated in root.srl) into root.crl
> > and still nothing,
> > I also tested a copy of this file (instead a symlink) into
> > /var/lib/postgresql/9.0/main/,
> > and in /var/lib/postgresql/ (Debian postgres user home)
> > and also into /var/lib/postgresql/.postgresql/ !
>
> The file is supposed to be in $PGDATA. Random other locations will
> definitely *not* work.
$PGDATA is /var/lib/postgresql/9.0/main/ in Debian.
It is now working: I was naively thinking that root.crl should be feed
only with the certificate footprint (from root.srl, which is generated each
time I use the HOWTO client certificate generation script) but it was the
entire certificate that should be in (info grabbed on an ibm Pg paper but not
found into Pg's doc - I'm not very tough into openssl:(
Thanks Tom
JY
--
I may kid around about drugs, but really, I take them seriously.
-- Doctor Graper