Re: ssl database connection problems...

From: Carol Walter <walterc(at)indiana(dot)edu>
To: Ray Stell <stellr(at)cns(dot)vt(dot)edu>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: ssl database connection problems...
Date: 2009-01-23 19:04:21
Message-ID: EFEA0D1F-71D0-49E6-A512-BCE5E93CE8E2@indiana.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin


On Jan 22, 2009, at 1:27 PM, Ray Stell wrote:

> On Thu, Jan 22, 2009 at 10:35:22AM -0500, Carol Walter wrote:
>> I'm still having problems with ssl. My ssl_ciphers line in
>> postgresql.conf
>> looks as the following:
>>
>> ssl_ciphers 'ALL:!ADH:!LOW:@STRENGTH'
>
> this parameter was not available in 8.2.x when I tested so what
> I say here has little basis.
>
> 1. no equal sign?

Yes, it does need an equal sign. That was a type-o that I just didn't
see. Fixed and re-ran. Still doesn't work.
>
> 2. isn't this a list of values to choose from so should it be:
> ssl_ciphers='ALL' ???

Yes, This says "All but ADH and low." I changed this line to just be
ssl_ciphers = 'ALL' . Stopped, started, and re-ran and it still
doesn't connect. The messages in the log file say "cipher or hash
unavailable". Since the files of the ciphers are definitely on the
system, this suggests that either postgres doesn't know where to find
them or the permission on them are wrong.
>
> 3. the doc does not say what happens if the the guy is commented
> out: http://www.postgresql.org/docs/8.3/interactive/runtime-config-connection.html#GUC-SSL-CIPHERS
> I wonder what the default is?

The default is
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL
ciphers

>
> 4. the doc: http://www.postgresql.org/docs/8.3/interactive/ssl-
> tcp.html
> says: "a list of ciphers can be specified" which makes it sound
> optional, but again, I'm without clue.
>
>
It needs a cipher or a hash. I don't know what it might use as a
hash. I found the cipher files. Unfortunately, I have two sets
because I have two versions of OpenSSL running. This might be part
of my problem, but I don't want to take a chance on messing up what's
already running. I don't know how to tell postgres which set of
cipher files to use. It's in the OpenSSL path, but not the complete
path.

>> Do you have any ideas for me to try to solve this problem?
>
>
Thanks,
Carol
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Kevin Kempter 2009-01-23 19:14:04 triggers on system tables ?
Previous Message Michael Monnerie 2009-01-23 12:57:07 Re: Why is that index not used?