Postgres Pro
Downloads
Home   >   mailing lists

Thread: HowTo SSL probaply with ODBC ?

HowTo SSL probaply with ODBC ?

From
Andreas
Date:
Hi,

is there a documentation on how to secure a connection withe SSL?
That is an option of the ODBC driver, isn't it?

The motivation is that I need to rent a remote server for PG.
Their admin proposes to open port 5432 on the outside of their firewall
but he has no idea how to secure the access besides PG's user/password.
I couldn't even restrict the accessing IPs within PG because they will
be dynamic.


Regards
Andreas

Re: [GENERAL] HowTo SSL probaply with ODBC ?

From
John DeSoi
Date:
On May 16, 2007, at 10:23 AM, Andreas wrote:

> is there a documentation on how to secure a connection withe SSL?
> That is an option of the ODBC driver, isn't it?

http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html

I don't know about ODBC.


>
> The motivation is that I need to rent a remote server for PG.
> Their admin proposes to open port 5432 on the outside of their
> firewall but he has no idea how to secure the access besides PG's
> user/password.
> I couldn't even restrict the accessing IPs within PG because they
> will be dynamic.

If they won't setup PostgreSQL properly with SSL support, your best
bet is to setup a SSH tunnel. This will also work with ODBC. If they
don't support SSH, find another provider :). Here is some background
on setting it up:

http://pgedit.com/tip/postgresql/ssh_tunneling



John DeSoi, Ph.D.
http://pgedit.com/
Power Tools for PostgreSQL

Re: [GENERAL] HowTo SSL probaply with ODBC ?

From
"Albe Laurenz"
Date:
Andreas wrote:
> is there a documentation on how to secure a connection withe SSL?
> That is an option of the ODBC driver, isn't it?
>
> The motivation is that I need to rent a remote server for PG.
> Their admin proposes to open port 5432 on the outside of their
firewall
> but he has no idea how to secure the access besides PG's
user/password.
> I couldn't even restrict the accessing IPs within PG because they will

> be dynamic.

The ODBC driver uses libpq.dll to establish the connection, and
libpq.dll
can use SSL encryption, so you should have no problem.

You must enable SSL on the server (your provider, that is), by setting
'ssl = on' in postgresql.conf. There must be a server.key and server.crt
file in the PostgreSQL server data directory containing the private key
and the public certificate of the server.

Moreover, this only makes sense if you enforce it.
In pg_hba.conf on the server, add two lines like this:

hostssl all         all         0.0.0.0/0             md5
host    all         all         0.0.0.0/0             reject

Then only SSL connections will be accepted.

This way you can also restrict connections to be only allowed from
your subnet - just change the IP address and netmask in the 'hostssl'
line to match your subnet.

Yours,
Laurenz Albe