Re: Connecting via SSL not working (except from psql)

From: "Magnus Hagander" <mha(at)sollentuna(dot)net>
To: "Paul Legato" <plegato(at)nks(dot)net>, <pgsql-admin(at)postgresql(dot)org>
Cc: <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: Connecting via SSL not working (except from psql)
Date: 2002-08-07 08:35:08
Message-ID: 81124B76C0CF364EBAC6CD213ABEDEF71D3095@ARGON.edu.sollentuna.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-jdbc

Hi!

SSL is not enabled at connection time in pgsql - it is negotiatied with
the postmaster, and enabled later. You need to send a correctly
formatted start message in clear text to the postmaster to initiate the
SSL negotiation first, and turn on SSL after that (assuming the
postmaster reports that SSL is Ok).
This is done so the postmaster can listen for both SSL and non-SSL
connections on the same port.

Take a look at how libpq does it. In 7.1.3, it starts at line 963 in
interfaces/libpq/fe-connect.c.
(Sorry, don't have the source to a newer version around right now - look
for comment on 'Attempt to negotiate SSL usage').

//Magnus

> -----Original Message-----
> From: Paul Legato [mailto:plegato(at)nks(dot)net]
> Sent: Tuesday, August 06, 2002 5:47 PM
> To: pgsql-admin(at)postgresql(dot)org
> Cc: pgsql-jdbc(at)postgresql(dot)org
> Subject: [ADMIN] Connecting via SSL not working (except from psql)
>
>
> Hi,
>
> I'm trying to connect to SSL-enabled Postgres (started with
> -i -l) using
> both the openssl command line utility and with a modified JDBC driver
> using the built in JSSE API from Java 1.4.
>
> If I attempt to connect from a shell with the openssl test
> utility, I get:
>
> $ openssl s_client -connect localhost:5432
> CONNECTED(00000003)
> 25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:460:
>
> With the JDBC driver, at connection I get:
>
> javax.net.ssl.SSLException: Unrecognized SSL message,
> plaintext connection?
>
> In both cases, the server logs the message "FATAL 1: invalid
> length of
> startup packet".
>
> A connection to the server with psql works fine, and prints "SSL
> connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried
> manually specifying this cipher to openssl, which does not change the
> result.
>
> I'm stuck. Any suggestions or pointers will be greatly appreciated. :)
>
> Thanks,
> -Paul
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an
> appropriate subscribe-nomail command to
> majordomo(at)postgresql(dot)org so that your message can get through
> to the mailing list cleanly
>

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message CIESIELSKI Stéphane 2002-08-07 08:45:51 RE: [ADMIN] Ouverture d'une session base de données
Previous Message Jean-Christophe ARNU (JX) 2002-08-07 08:33:09 Re: Ouverture d'une session base de donnes

Browse pgsql-jdbc by date

  From Date Subject
Next Message Paul Legato 2002-08-07 14:43:20 Re: Connecting via SSL not working (except from psql)
Previous Message Mihai Gheorghiu 2002-08-06 18:35:51 Re: Lifespan of temporary table