| From: | Carol Walter <walterc(at)indiana(dot)edu> |
|---|---|
| To: | Ray Stell <stellr(at)cns(dot)vt(dot)edu> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: ssl database connection problems... |
| Date: | 2009-01-21 17:50:23 |
| Message-ID: | E0C8B5AA-621F-45A0-83C9-20A3AC4AFD5B@indiana.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Well, I cleared out other database problems and now I'm back to this
one...
When I run the OpenSSL command below I get the following output...
-bash-3.00$ /usr/local/ssl/bin/openssl verify -CAfile ./root.crt
testcert.pem
Error loading file ./root.crt
24149:error:02001002:system library:fopen:No such file or
directory:bss_file.c:126:fopen('./root.crt','r')
24149:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:
129:
24149:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose
purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
The associated lines in my postgres log are these...
[[unknown]:[unknown]:2009-01-16 16:46:32 EST]LOG: connection
received: host=129.79.36.241 port=33869
[[unknown]:[unknown]:2009-01-16 16:46:32 EST]LOG: could not accept
SSL connection: cipher or hash unavailable
[postgres:walterc:2009-01-16 16:50:35 EST]LOG: disconnection: session
time: 0:06:03.150 user=postgres database=walterc host=[local]
There is a line concerning ssl ciphers in the postgresql.conf file.
I'm wondering if that may be causing my problem. What should this be
set to?
Carol
On Dec 29, 2008, at 9:36 PM, Ray Stell wrote:
> On Mon, Dec 29, 2008 at 04:23:30PM -0500, Carol Walter wrote:
>> "with openssl" when I initially configured the server. Are there
>> other
>> things that need to be done to get openssl started on the database
>> server?
>> How can I diagnose this problem?
>>
>
> The files server.key, server.crt, root.crt, and root.crl are only
> examined
> during server start; so you must restart the server for changes in
> them
> to take effect.
>
> http://www.postgresql.org/docs/8.3/interactive/ssl-tcp.html
>
> It's been awhile since I played with this, but there's something
> about an
> environment var, PGSSLMODE.
>
> You can use openssl to verify the server/root ca correctness like
> this:
>
> openssl verify -CAfile ./root.crt testcert.pem
>
> assuming openssl in the mix.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Larry Rosenman | 2009-01-21 19:15:44 | Re: check to see when tables were last vacummed |
| Previous Message | paulo matadr | 2009-01-21 17:44:14 | Res: [GENERAL] bytea size limit? |