Re: Beginning SSL Questions

On Thu, Sep 14, 2006 at 09:17:00AM -0500, Jeanna Geier wrote:
> - In the docs, it says that when using SSL in Postgres "This requires
> that OpenSSL is installed on both client and server systems and
> that support in PostgreSQL is enabled at build time" - is this
> correct?

PostgreSQL must have been built with the --with-openssl configure
option and the server needs "ssl = on" in postgresql.conf.

> Or can we use the certificates and keystore file we generated using
> the Jave keytool implementing SSL with Tomcat?

You can use the same certificate and key but you'll need to copy
them to your $PGDATA directory as server.crt and server.key (whether
using the same certificate and key is a good idea is an administrative
and/or security matter, but from a technical standpoint it should
work). If you want to require SSL client authentication then also
install the CA certificate(s) as root.crt. I'd suggest getting
non-authenticated SSL working first and only then set up client
authentication if you need it.

If you want to require SSL connections (authenticated or not) then
use "hostssl" in pg_hba.conf and make sure no other entry will match
a non-SSL connection.

> - In perusing the mailing list, it appears that this is not going
> to be a 'simple' task...any pointers that anyone can give to me
> before we start? If possible, I'd like to avoid another hair-pulling
> three week task! =o)

Setting up SSL is simple. Read "Secure TCP/IP Connections with
SSL," "SSL Support," and "Client Authentication" in the documentation
and follow the instructions therein.

http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html
http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html
http://www.postgresql.org/docs/8.1/interactive/client-authentication.html

If you have trouble then please report what you did, what you
expected to happen, and what did happen (including client and server
error messages).

--
Michael Fuhr