Using SSL for secure connections to the DB

From: "Wagener, Johannes J" <Johannes(dot)Wagener(at)standardbank(dot)co(dot)za>
To: <pgsql-admin(at)postgresql(dot)org>
Subject: Using SSL for secure connections to the DB
Date: 2006-05-09 17:02:07
Message-ID: 286154FA8F0D934ABD16025C6B5B3CC30311E349@00172MSGJNB0048.adcplace.sbicdirectory.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

Hi Everyone,

Hope you guys can help.

I moved our Database to a separate server and I would like to use SSL
for all connections (The server runs RH9, PostgreSQL 8).

I read the postgresql documentation and setup everything accordingly.
I.e.
- built the server with ssl support.
- changed the postgresql.conf file to enable ssl
- changed pg_hba.conf file to only allow ssl connections from certain
hosts. (All entries were changed to "hostssl" in order to force SSL
connections).
- generated the server certificate and key.
- rebuilt libpqxx (that's sits on top of libpq)
- rebuilt our application programs that use libpqxx

I tested the setup initially with PGAdmin3 by changing the SSL option to
"require". And this seemed to work just fine.

The problem came in when I tried to change our application programs
(that use the libpqxx library) to use SSL connections (They are Web
based apps and we use apache).
I changed the connection string in all connections to include the
"sslmode=require" option and started testing.
When the applications try to connect to the database server the
following message appears in the Postgresql log file:
------------------------------------------------------------------------
------------------------------------------
Could not accept SSL connection: EOF detected
------------------------------------------------------------------------
-------------------------------------------

I googled this but I did not find much useful information on the
subject.
I tried several things to resolve this but I kept getting the same
messages. I also tried this from Perl and Tcl and but still get the
same result.
Funny thing is - it does not matter what I change "sslmode" to - I still
get the same error message in the log - even when I change "hostssl" to
just "host" in the pg_hba.conf file I still get the same messages in the
log.

Could it have something to do with my ssl certificates? I do not use
the "root.crt" file, so the server should not request or check client
certificates and should only use ssl for communication security
(according to the documentation). The way I understand this is that a
user's (apache) normal password will be used for authentication and that
ssl will only be used to encrypt the communication between client and
server. Is this assumption correct? (This did seem to apply when I
tested the setup with PGAdmin3.)
In the future I would like to implement client authentication via
certificates but as far as I can tell (googled) this cannot be achieved
at the application level yet. Is this true?
If it's not - how do I ensure that the client certificate is supplied
when the program runs when started from apache?

Thanks in advance.

Hannes Wagener

__________________________________________________________________________________________________________________________________

Standard Bank Disclaimer and Confidentiality Note

This e-mail, its attachments and any rights attaching hereto are, unless the context clearly indicates otherwise, the property of Standard Bank Group Limited
and/or its subsidiaries ("the Group"). It is confidential, private and intended for the addressee only. Should you not be the addressee and receive this e-mail by
mistake, kindly notify the sender, and delete this e-mail, immediately and do not disclose or use same in any manner whatsoever. Views and opinions
expressed in this e-mail are those of the sender unless clearly stated as those of the Group. The Group accepts no liability whatsoever for any loss or
damages whatsoever and howsoever incurred, or suffered, resulting, or arising, from the use of this email or its attachments. The Group does not warrant the integrity
of this e-mail nor that it is free of errors, viruses, interception or interference. Licensed divisions of the Standard Bank Group are authorised financial services providers
in terms of the Financial Advisory and Intermediary Services Act, No 37 of 2002 (FAIS).
For information about the Standard Bank Group Limited visit our website http://www.standardbank.co.za
___________________________________________________________________________________________________________________________________

Browse pgsql-admin by date

  From Date Subject
Next Message mark.dingee 2006-05-09 20:03:14
Previous Message Ben K. 2006-05-09 14:01:27 Re: FW: reset all sequences