From: | "Klemens Seydel" <pierromail(at)gmx(dot)de> |
---|---|
To: | "Mitch Vincent" <mitch(at)doot(dot)org> |
Cc: | <pgsql-odbc(at)postgresql(dot)org> |
Subject: | Re: SSL Support? |
Date: | 2002-01-24 03:01:17 |
Message-ID: | 019301c1a483$694a42b0$1764a8c0@potsdam.amsoft.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-odbc |
Hi Mitch,
there will be no point in the faq's concerning the setup of secure
tunnels since it's no *PART* of postgresql but a way of *USING* it.
Setting up an SSL tunnel is really easy:
1. Get Stunnel (www.stunnel.org)
2. Unpack on Client, Unpack on Server
3. Run on Server:
stunnel-3.20.exe -p <pem-file> -d <sslextport> -r localhost:<dbport>
4. Run on Client:
stunnel-3.20.exe -c -d <localport> -r <server>:<sslextport>
5. Make your ODBC connection (yes I mean client side) listening
to localhost:<localport>
6. See it working
Now, if all works and you want to make it bombsafe, change your
database configuration to only accept new connections from the
inside "localhost"/"127.0.0.1" but no hosts else. The only way
the data can be still accessed, is from your brand new ssl tunnel
or the server machine itself.
You see it requires minimal a certificate (i.e. *.pem-file) on the
server side (optional on client side) suggesting you already got a
working certificate from your root authority. Get a simple (free)
certificate only for testing purposes from www.thawte.com.
They will contact you if you need a personal identity certificate
or a root key so you can be your own root authority, giving out
identity certs to your customers or workers or anybody else.
The Scheme is easy to understand:
[Server] SSL-Port [ ]<----- SSL on TC/IP ----->[ ] SSL-Port [Client]
| | | |
| | | |
| (stunnel sitting here) (stunnel sitting here) |
| (trusted) | |
| | | |
[ ] DB-Port | | DB-Port [ ]
|_________________| |________________|
That's just a sample config, working locally here on my machine, for a
custom project to be moved to internet soon. I only need to change the
hosts in config files from "localhost" to the corresponding server ip
address. I use newest winxp+mysql and rhlinux/pgsql the stuff works
fine on both systems (better should I say worlds?).
I hope, I lightened it out enough.
Regards from germany,
Klemens Seydel
AM-Soft - IT-Systeme
Hameln Leipzig Potsdam Berlin
Tel.: 05151-9468-0 034206-6593-0 0331-743881-0 030-8058693-0
Fax : 05151-9468-88 034206-6593-88 0331-743881-31 030-8058693-88
email : kseydel(at)am-soft(dot)de http://www.am-soft.de
----- Original Message -----
From: "Mitch Vincent" <mitch(at)doot(dot)org>
To: <pgsql-odbc(at)postgresql(dot)org>
Sent: Wednesday, January 23, 2002 9:01 PM
Subject: Re: [ODBC] SSL Support?
> Thanks!
>
> I did check out the website and can't seem to find a link to a FAQ (and
the
> documentation didn't mention SSL as far as I could find).. Perhaps I'm
> mistaken, sometimes things hide in plain view with me :-)
>
> -Mitch
>
> ----- Original Message -----
> From: "Cedar Cox" <cedarc(at)visionforisrael(dot)com>
> To: "Mitch Vincent" <mitch(at)doot(dot)org>
> Sent: Wednesday, January 23, 2002 1:46 PM
> Subject: Re: [ODBC] SSL Support?
>
>
> >
> > No. (um.. IIRC. Read the docs/faqs). Use something like ssh tunnels..
> > You should probably visit http://odbc.postgresql.org
> >
> > -Cedar
> >
> > On Wed, 23 Jan 2002, Mitch Vincent wrote:
> >
> > > I'm new to ODBC, and Windows programming (though I've been programming
> with
> > > PostgreSQL for years, never with ODBC from Windows.)
> > >
> > > Is there any SSL support in the ODBC driver for PostgreSQL ?
> > >
> > > Thanks!
> > >
> > > -Mitch
> > >
> >
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>
From | Date | Subject | |
---|---|---|---|
Next Message | Joseph Watson | 2002-01-24 03:08:27 | Connection Problem |
Previous Message | Mitch Vincent | 2002-01-23 20:01:16 | Re: SSL Support? |