Re: SSL confirmation

On Sun, Dec 05, 2004 at 04:12:38PM +0000, Andrew M wrote:

> I am running postgreSQL and just wanted to know how I confirm that SSL
> is fully functional? I have placed server.key, server.crt and root.crt
> in the data folder and am able to launch postgreSQL with no problems. I
> m launching postgreSQl with the following command:
>
> /usr/local/pgsql/bin/postmaster -i -D /usr/local/pgsql/data

You can omit the -i if you have "tcpip_socket = true" (or set
listen_address if you're using 8.0) in postgresql.conf

> Is that sufficient to start SSL, how can I check?

You should have "ssl = true" in postgresql.conf (restart the backend
after making a change). When you make an SSL connection with psql,
psql should print a message like the following:

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

Make sure you're using a TCP connection instead of a local (Unix-domain)
connection. You can use psql's -h option or the PGHOST environment
variable to force a TCP connection (e.g., psql -h localhost).

See also the hostssl and hostnossl connection types in pg_hba.conf.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/