| From: | Mark Steben <mark(dot)steben(at)drivedominion(dot)com> |
|---|---|
| To: | Ray Stell <stellr(at)vt(dot)edu> |
| Cc: | pgsql-admin <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: configuring openssl for postgres 9.2 for the first time |
| Date: | 2014-02-04 20:39:37 |
| Message-ID: | CADyzmywWK=+a2rwRYmDcMVPXgSH7vYfQTBkr-wTWqvsfGzZi4g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hi Ray,
I just tried your suggestion:
hostssl all all 0.0.0.0/0
md5 clientcert=1
and got the same error:
no pg_hba.conf entry for host "10.10.4.34", user "postgres", database
"marktst", SSL off
perhaps if I can get some insight as to how to determine what sslmode, (if
any) my client
is subscribed to, then I can follow through further with Ray's
recommendation.
thanks for any help,
On Fri, Jan 31, 2014 at 5:48 PM, Ray Stell <stellr(at)vt(dot)edu> wrote:
>
> On Jan 30, 2014, at 2:00 PM, Mark Steben <mark(dot)steben(at)drivedominion(dot)com>
> wrote:
>
> Hello,
>
> We are looking to provide openssl methodology into our testing
> environment. I've run into this issue
> when attempting to access from a client to a remote postgres server after
> SSL configuration:
>
> from client 10.10.4.34:
> psql -U postgres marktst -h 10.10.4.52
> psql: FATAL: no pg_hba.conf entry for host "10.10.4.34", user "postgres",
> database "marktst", SSL off
>
>
>
> You might back off from ssl, client authentication just to see what
> happens with:
>
> hostssl all all 0.0.0.0/0 md5
> clientcert=1
>
> this will provide the client auth of the server and require a password
> auth for the client. Hopefully that works first. I've seen your msg and
> had some effect with the following env variable, but it's probably a long
> shot:
>
> "PGSSLMODE behaves the same as the sslmode<http://www.postgresql.org/docs/9.3/static/libpq-connect.html#LIBPQ-CONNECT-SSLMODE>
> "
> http://www.postgresql.org/docs/9.3/static/libpq-envars.html
> PGSSLMODE=verify-full will cause the client to verify that the CN on the
> server certificate matches the hostname of the server. disable will only
> try a non-SSL connection which will not be compatible with the pg_hba
> config.
>
> It is a bit of a fishing expedition.
>
>
--
*Mark Steben*
Database Administrator
@utoRevenue <http://www.autorevenue.com/> | Autobase<http://www.autobase.net/>
CRM division of Dominion Dealer Solutions
95D Ashley Ave.
West Springfield, MA 01089
t: 413.327-3045
f: 413.383-9567
www.fb.com/DominionDealerSolutions
www.twitter.com/DominionDealer
www.drivedominion.com <http://www.autorevenue.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | CS DBA | 2014-02-04 22:17:06 | Password Security |
| Previous Message | Mohit Gupta | 2014-02-04 20:13:23 | Excellent Opportunity | PostgreSQL DBA | Dallas TX 75202, Seattle WA 98101, Alpharetta GA 30009 |
