Re: SSL Support?

From: "Klemens Seydel" <pierromail(at)gmx(dot)de>
To: "Mitch Vincent" <mitch(at)doot(dot)org>
Cc: <pgsql-odbc(at)postgresql(dot)org>
Subject: Re: SSL Support?
Date: 2002-01-24 03:01:17
Message-ID: 019301c1a483$694a42b0$1764a8c0@potsdam.amsoft.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-odbc

Hi Mitch,

there will be no point in the faq's concerning the setup of secure
tunnels since it's no *PART* of postgresql but a way of *USING* it.

Setting up an SSL tunnel is really easy:

1. Get Stunnel (www.stunnel.org)
2. Unpack on Client, Unpack on Server
3. Run on Server:
stunnel-3.20.exe -p <pem-file> -d <sslextport> -r localhost:<dbport>
4. Run on Client:
stunnel-3.20.exe -c -d <localport> -r <server>:<sslextport>
5. Make your ODBC connection (yes I mean client side) listening
to localhost:<localport>
6. See it working

Now, if all works and you want to make it bombsafe, change your
database configuration to only accept new connections from the
inside "localhost"/"127.0.0.1" but no hosts else. The only way
the data can be still accessed, is from your brand new ssl tunnel
or the server machine itself.

You see it requires minimal a certificate (i.e. *.pem-file) on the
server side (optional on client side) suggesting you already got a
working certificate from your root authority. Get a simple (free)
certificate only for testing purposes from www.thawte.com.

They will contact you if you need a personal identity certificate
or a root key so you can be your own root authority, giving out
identity certs to your customers or workers or anybody else.

The Scheme is easy to understand:

[Server] SSL-Port [ ]<----- SSL on TC/IP ----->[ ] SSL-Port [Client]
| | | |
| | | |
| (stunnel sitting here) (stunnel sitting here) |
| (trusted) | |
| | | |
[ ] DB-Port | | DB-Port [ ]
|_________________| |________________|

That's just a sample config, working locally here on my machine, for a
custom project to be moved to internet soon. I only need to change the
hosts in config files from "localhost" to the corresponding server ip
address. I use newest winxp+mysql and rhlinux/pgsql the stuff works
fine on both systems (better should I say worlds?).

I hope, I lightened it out enough.

Regards from germany,

Klemens Seydel
AM-Soft - IT-Systeme

Hameln Leipzig Potsdam Berlin
Tel.: 05151-9468-0 034206-6593-0 0331-743881-0 030-8058693-0
Fax : 05151-9468-88 034206-6593-88 0331-743881-31 030-8058693-88
email : kseydel(at)am-soft(dot)de http://www.am-soft.de

----- Original Message -----
From: "Mitch Vincent" <mitch(at)doot(dot)org>
To: <pgsql-odbc(at)postgresql(dot)org>
Sent: Wednesday, January 23, 2002 9:01 PM
Subject: Re: [ODBC] SSL Support?

> Thanks!
>
> I did check out the website and can't seem to find a link to a FAQ (and
the
> documentation didn't mention SSL as far as I could find).. Perhaps I'm
> mistaken, sometimes things hide in plain view with me :-)
>
> -Mitch
>
> ----- Original Message -----
> From: "Cedar Cox" <cedarc(at)visionforisrael(dot)com>
> To: "Mitch Vincent" <mitch(at)doot(dot)org>
> Sent: Wednesday, January 23, 2002 1:46 PM
> Subject: Re: [ODBC] SSL Support?
>
>
> >
> > No. (um.. IIRC. Read the docs/faqs). Use something like ssh tunnels..
> > You should probably visit http://odbc.postgresql.org
> >
> > -Cedar
> >
> > On Wed, 23 Jan 2002, Mitch Vincent wrote:
> >
> > > I'm new to ODBC, and Windows programming (though I've been programming
> with
> > > PostgreSQL for years, never with ODBC from Windows.)
> > >
> > > Is there any SSL support in the ODBC driver for PostgreSQL ?
> > >
> > > Thanks!
> > >
> > > -Mitch
> > >
> >
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>

In response to

Browse pgsql-odbc by date

  From Date Subject
Next Message Joseph Watson 2002-01-24 03:08:27 Connection Problem
Previous Message Mitch Vincent 2002-01-23 20:01:16 Re: SSL Support?