| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | lejeczek <peljasz(at)yahoo(dot)co(dot)uk> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Replication & TLS encryption - how? |
| Date: | 2021-04-09 17:55:26 |
| Message-ID: | 933348165a7555c5a0a7c78a0234e3395e8efea8.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Fri, 2021-04-09 at 16:43 +0100, lejeczek wrote:
> > > I get what you were saying but I also wondered - when I
> > > showed my "primary_conninfo" & pg_hba: why does replication
> > > appear to work without the bits you mention and what is the
> > > significance of 'clientcert=1' in all this.
> >
> > Replication works just fine when unencrypted.
> >
> > "clientcert=1" (in versions before v12) means that the server will
> > reject a client connection unless it sends a client certificate that is
> > signed by an authority that the server recognizes.
>
> And by 'recognizes' we would mean the one from 'ssl_ca_file'
> which, if true then I still have to wonder why my pgSQLs
> were not happy.
> My first guess and first question at the same time would be
> - could be because how my certs were crafted?
> Beyond "regular" certs params, or something "extra" in other
> words, I requested my certs to have 'Extended Key Usage'
> Thus my certs have both: TLS Web Server Authentication, TLS
> Web Client Authentication which I thought is a 'must' since
> pgSQL in replication/clusters is both server and the
> client.(no? )
This seems to be an SSL question unrelated to PostgreSQL.
Perhaps you can use SSL tools like "openssl s_client" and
"openssl s_server" to debug this.
> > > Does that confirm healthy & encrypted replication?
> >
> > Compare with the lines in "pg_stat_replication". If the entry with "ssl" = true
> > (pid 78705) has the same PID as the entry in "pg_stat_replication", then that
> > connection is encrypted, yes.
>
> I think those match, but what is that 'Record 3' (which has
> no match in 'pg_stat_replication', I can guess but I rather
> ask) , master-supplier with two standbays is my setup.
> -[ RECORD 1 ]-+-----------------------
> pid | 108394
> ssl | t
> version | TLSv1.3
> cipher | TLS_AES_256_GCM_SHA384
> bits | 256
> compression | f
> client_dn |How should I know?
> client_serial |
> issuer_dn |
> -[ RECORD 2 ]-+-----------------------
> pid | 108395
> ssl | t
> version | TLSv1.3
> cipher | TLS_AES_256_GCM_SHA384
> bits | 256
> compression | f
> client_dn |
> client_serial |
> issuer_dn |
> -[ RECORD 3 ]-+-----------------------
> pid | 111811
> ssl | f
> version |
> cipher |
> bits |
> compression |
> client_dn |
> client_serial |
> issuer_dn |
It might well be your own local connection on which you are
running the query...
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Henry Francisco Garcia Cortez | 2021-04-09 20:19:28 | autovacuum_vacuum_cost_limit |
| Previous Message | lejeczek | 2021-04-09 15:43:48 | Re: Replication & TLS encryption - how? |