Re: SSL auth problem

From: "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at>
To: "Vitaliyi *EXTERN*" <imgrey(at)gmail(dot)com>, <pgsql-general(at)postgresql(dot)org>
Subject: Re: SSL auth problem
Date: 2008-05-16 06:33:09
Message-ID: D960CB61B694CF459DCFB4B0128514C2021DDA19@exadv11.host.magwien.gv.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Vitaliyi wrote:
> I'm trying to setup SSL auth.
>
> creating CA:
>
> openssl genrsa -out our.key 2048
> openssl req -new -key our.key -out our.req
> openssl req -x509 -in our.req -text -key our.key -out root.crt
>
> then I copy root.crt on postgresql host and to client host in
> ~/.postgresql
>
> generating another key on server:
>
> openssl genrsa -out server.key 2048
> then request for signing to CA:
> openssl req -new -key server.key -out server.req
>
> signing on CA:
>
> openssl req -x509 -in server.req -text -key our.key -out server.crt
>
> now in postgresql data dir following files:
>
> server.crt
> server.key
> root.crt
> and blank root.crl
>
> on client host:
>
> cd ~/.postgresql
> openssl genrsa -out postgresql.key 2048
> then signing with our.key on CA and placing postgresql.crt, root.crt
> to ~/.postgresql
>
>
> This is my picture of what is happening:
>
> 1. we using our CA public key to generate root.crt:
>
> root_signature = ca_pub_key**ca_priv_key % n
>
> 2. on postgres server creating key-pair and signing public key on CA, receiving
> server_signature (server.crt):
>
> server_signature = server_pub_key**root_priv_key % n
>
> Client using server_signature before encrypting and sending message to server:
>
> server_pub_key = server_signature**root_pub_key % n
>
> if server_pub_key is valid then user encrypting message with server_pub_key.
>
>
> 3. Client generating his own key-pair and asking our CA to
> sign his public key.
>
> client_signature = client_pub_key**ca_priv_key % n
>
> client_signature he writing to postgresql.crt, which server using when sending something
> to client:
>
> client_pub_key = client_signature**root_pub_key % n
>
>
> If everything is correct, than why psql complaining:
>
> psql "dbname=me sslmode=require host=postgres_server user=me"
> psql: SSL error: certificate verify failed
>
> log on postgres_server:
>
> postgres[98462]: [3-1] LOG: could not accept SSL connection: tlsv1
> alert unknown ca

I could not follow completely, so let me ask:

- Did you put the same thing in root.crt on both client and server?
- Does root.crt contain a self signed certificate?
- Does root.crt contain the certificate that was used to sign server.crt and postgresql.crt?
- Are there any SSL messages in the server log file immediately after server startup?

Yours,
Laurenz Albe

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Ottavio Campana 2008-05-16 06:44:34 Re: problem with serial data type and access
Previous Message Martijn van Oosterhout 2008-05-16 06:32:04 Re: Need for help!