Re: SSL question

From: Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>
To: "CS DBA *EXTERN*" <cs_dba(at)consistentstate(dot)com>, "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org>
Subject: Re: SSL question
Date: 2013-02-05 08:32:52
Message-ID: A737B7A37273E048B164557ADEF4A58B057AF9BB@ntex2010a.host.magwien.gv.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

CS DBA wrote:
> We have a client that is asking for a service as follows:
>
> - a virtual machine in our data center
> - they want to upload files to the VM via sftp
> - they want to connect to a local db server on the VM via SSL
>
> Here's my question;
> Do I need to pay for an official SSL cert? If so, they seem to be tied
> to an apache config. Am I missing something?

I don't see how Apache comes in here.

I hope I understand correctly that your customer wants
a PostgreSQL client on his/her machine to connect to
a PostgreSQL server on your machine with SSL.

Will the connection be via the C API, JDBC, Npgsql
or something else?

Do you want to use SSL for encryption or also for
authentication?

If you only need encryption, you can use a random
self signed certificate on the database server, and
you don't need anything on the client.

If you want to authenticate the client with SSL,
you have to make sure that the client's certificates
are signed by a certification authority that your
server trusts. Since that is in your hands, there's
no (technical) need to use a commercial certification
authority.

Suggested reading:
http://www.postgresql.org/docs/current/static/ssl-tcp.html
http://www.postgresql.org/docs/current/static/auth-methods.html#AUTH-CERT
http://www.postgresql.org/docs/current/static/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SECURITY

Yours,
Laurenz Albe

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Geoff Winkless 2013-02-05 14:29:09 diskspace
Previous Message Johnny Tan 2013-02-05 03:19:18 Re: SSL question