| From: | Mikko Tiihonen <mikko(dot)tiihonen(at)nitorcreations(dot)com> |
|---|---|
| To: | Dave Cramer <pg(at)fastcrypt(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: SslTests failures |
| Date: | 2011-11-22 20:31:20 |
| Message-ID: | 4ECC0698.7000305@nitorcreations.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On 11/22/2011 09:40 PM, Dave Cramer wrote:
> Mikko,
>
> You probably (like me) have a very permissive pg_hba.conf file. It
> needs to be restricted so that local databases need to connect via
> ssl. At least that was my experience.
Thanks, that helped me further. I had to uncomment all lines starting with
"host all" or use the provided pg_hba.conf as is.
Now I have only 28 failures:
sslcertgh[89]-disable*
sslcertbh[89]-disable*
They fail with "Connection rejected: FATAL: certificate authentication failed for user "jdbctest" on jdbc driver side
and "LOG: provided user name (jdbctest) and authenticated user name (test) do not match" on server side.
I cannot see where the authenticated user name "test" can come from unless it is inside the certificates - in which case I'll update the
documentation to say that the postgres account for SSL tests must be named "test".
> On Tue, Nov 22, 2011 at 2:34 PM, Mikko Tiihonen
> <mikko(dot)tiihonen(at)nitorcreations(dot)com> wrote:
>> Hi,
>>
>> I'm trying to run the SslTests but get 88 failures. It is probably something
>> I set up wrong in the environment.
>>
>> The following tests fail:
>>
>> sslhostnossl[89]-requireG*
>> sslhostnossl[89]-verify-caGG*
>> sslhostnossl[89]-verify-fullGG*
>>
>> sslhostsslgh[89]-disable*
>> sslhostsslbh[89]-disable*
>>
>> sslhostcertgh[89]-disable*
>> sslhostcertbh[89]-disable*
>>
>> sslcertgh[89]-disable*
>> sslcertbh[89]-disable*
>>
>> All of them fail with unexpectedly successful connection (meaning: test
>> expected connection opening to fail but it succeeded).
>>
>> Here is a patch to the ssltest documentation describing how I have tried to
>> set-up the environment.
>>
>>
>> Index: certdir/README
>> ===================================================================
>> RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v
>> retrieving revision 1.1
>> diff -u -r1.1 README
>> --- certdir/README 17 Nov 2011 11:27:50 -0000 1.1
>> +++ certdir/README 22 Nov 2011 19:29:27 -0000
>> @@ -42,3 +42,11 @@
>> The subdirectory server contains what should be copied to the PGDATA
>> directory.
>>
>> For the tests the sslinfo module must be installed into every database.
>> +The ssl=on must be set in postgresql.conf
>> +
>> +The following command creates the databases and installs the sslinfo
>> module.
>> +
>> +for db in hostssldb hostnossldb certdb hostsslcertdb; do
>> + createdb $db
>> + psql $db -c "create extension sslinfo"
>> +done
>>
>> --
>> Sent via pgsql-jdbc mailing list (pgsql-jdbc(at)postgresql(dot)org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-jdbc
>>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mikko Tiihonen | 2011-11-22 21:04:55 | Re: SslTests failures - resolved |
| Previous Message | chris humphrey | 2011-11-22 20:21:18 | Re: bytea problem |