Re: FW: Setting up SSL for postgre

Little-known fact: Windows applications also accept forward slashes. The
reason you can't do it at the command line is because MS decided to use /,
instead of -, to indicate command line options, so any CLI application that
accepts options will be confused. (Commands that don't accept options can
also accept / in filenames.)

However you shouldn't have had to use double-quotes in your configuration.
In code, yes, but not in configuration files.

On Thu, Aug 30, 2018 at 5:58 AM Mark Williams <markwillimas(at)gmail(dot)com>
wrote:

> Hi,
>
> I have finally discovered the problem and thanks to everyone for their
> help.
>
> I have changed the
> Pg_hha.conf file to md5 clientcert=1 instead of just cert.
>
> It still didn't work and I read a suggestion on a link provided by Wim
> which
> suggested change sslmode to verify-ca.
>
> This threw up a new error, namely that it couldn't find the root
> certificate
> at the location I had specified. The reason for this was that although my
> file path was being ready by FireDAC correctly, when it was passed through
> to Postgre, it was removing the path delimiters. The answer was to escape
> the delimiters with a backslash eg "c:\\pathtomycerts\\postgre.sql.cert"
>
> I'm assuming you guys are all on Linux and don't have this problem.
>
> For the benefit of future Windows users, who may be tempted to give up on
> Postgre due to the agony of trying to connect with SSL it would be well
> worth a little addition to the manual at
>
> https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONN
> STRING to let Windows users know they need to escape their path delimiters.
>
> I will let Embarcadero know of this issue for FireDAC users.
>
> Aside from that little niggle, it's great to know that Postgre users are so
> willing to help. Many thanks again.
>
>
> __
>
> -----Original Message-----
> From: Wim Bertels <wim(dot)bertels(at)ucll(dot)be>
> Sent: 30 August 2018 08:56
> To: Mark Williams <markwillimas(at)gmail(dot)com>; 'Tim Cross'
> <theophilusx(at)gmail(dot)com>
> Cc: pgsql-admin(at)lists(dot)postgresql(dot)org; s(dot)dunand(at)sirap(dot)fr
> Subject: Re: FW: Setting up SSL for postgre
>
> Hallo Mark,
>
> in your pg_hha.conf you have used
>
> cert
>
> as authentication,
> which is authorization using a certificate (not a password) (as mailed
> before with documentation links)
>
> did you test pgadmin and firedac from the same client machine?
>
> hth,
> Wim
> ________________________________________
> Van: Mark Williams <markwillimas(at)gmail(dot)com>
> Verzonden: dinsdag 28 augustus 2018 20:52
> Aan: 'Tim Cross'
> CC: pgsql-admin(at)lists(dot)postgresql(dot)org; s(dot)dunand(at)sirap(dot)fr; Wim Bertels
> Onderwerp: RE: FW: Setting up SSL for postgre
>
> Hi Tim,
>
> Thanks for the reply.
>
> Unfortunately, I don't know what private certificate authorisation is. I
> assume this is different to SSL and is not the same as a self signed cert.
> I
> have created my certificate with OpenSSL so I assume I am not in the arena
> of private certificate authorisation.
>
> Thanks for the tip re Debian, but sadly client and server are all Windows
> machines.
>
> I think I will put a plea out there to anyone who uses FireDAC and has
> managed to get SSL working with Postgre. Absent anything useful there, I
> will give up on Postgre.
>
> All the best.
>
> Mark
>
> __
>
> -----Original Message-----
> From: Tim Cross <theophilusx(at)gmail(dot)com>
> Sent: 27 August 2018 23:05
> To: Mark Williams <markwillimas(at)gmail(dot)com>
> Cc: pgsql-admin(at)lists(dot)postgresql(dot)org; s(dot)dunand(at)sirap(dot)fr
> Subject: Re: FW: Setting up SSL for postgre
>
>
> Mark Williams <markwillimas(at)gmail(dot)com> writes:
>
> >
> >
> >
> >
> > __
> >
> >
> >
> > From: Mark Williams <markwillimas(at)gmail(dot)com>
> > Sent: 25 August 2018 18:14
> > To: 'Wim Bertels' <wim(dot)bertels(at)ucll(dot)be>
> > Subject: RE: Setting up SSL for postgre
> >
> >
> >
> > Hi Wim,
> >
> >
> >
> > I don't understand. If I don't include the password option, the
> > connection will be refused because I have not included it.
> >
> >
> >
> > I am connecting via PGAdmin with the same user ie postgres.
> >
>
> I suspect Wim was referring to private certificate authentication rather
> than connections over SSL - use the same basic technologies, but for
> different goals.
>
> While it may or may not be useful, I believe that recent versions of Debian
> actually come with SSL connections enabled by default (using self signed
> cert). Might provide the example you need?
>
> Tim
>
> --
> Tim Cross
>
> =
>
>
>