Re: stunnel with just postgresql client part

On Tue, May 10, 2011 at 6:09 AM, zhong ming wu <mr(dot)z(dot)m(dot)wu(at)gmail(dot)com> wrote:
> On Mon, May 9, 2011 at 10:50 PM, Merlin Moncure <mmoncure(at)gmail(dot)com> wrote:
>
>> Now manybe *I'm* a little confused.  Are you connecting to the write
>> port (stunnel's secure port)? As I understand it, the stunnel pgsql
>> protocol is such that the client side libpq application can connect to
>> stunnel which unwraps the encrypted data and connects w/o ssl to
>> postgres.  From the server's point of view, the connection should be
>> unencrypted and from the client's it should remain encrypted.
>>
>> I can think of two reasons why you would want to do this:
>> *) pgbouncer, or a some other connection pooler type piece of software
>> that does not support ssl
>> *) for loading purposes you are trying to keep all
>> encryption/decryption off the main server.
>>
>> merlin
>>
>
>
> My client connects to the stunnel'l local port.  Come to think of it..
> assuming that the line
>
> "SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)"
>
> comes from psql I am getting the expected behavior.  Because psql
> connects to stunnel local port unencrypted.  stunnel encrypts the data
> and sends it to the postgres server.  The server accepts the
> connection because it is coming in encrypted.

yup, you're right. I always set it up the other way so I just assumed
that's what you were doing.

> I would also be nice to find out from the pg server that the
> communication is encrypted.  I just don't see a way to find it out
> except from the following two facts 1) my server is configured to be
> just so 2) the output of 'ps' which tells me how the connection is
> coming in.

100% agree. maybe a column in pg_stat_activity showing the encryption protocol?

merlin