| From: | Michael Fuhr <mike(at)fuhr(dot)org> |
|---|---|
| To: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
| Cc: | "A(dot) Mous" <a(dot)mous(at)shaw(dot)ca>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: 8.0 Beta3 worked, RC1 didn't! |
| Date: | 2004-12-22 05:39:36 |
| Message-ID: | 20041222053935.GA80983@winnie.fuhr.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Dec 21, 2004 at 07:06:00PM -0800, Joshua D. Drake wrote:
> The clients connecting remotely... do they support SSL? It looks
> like to me that you have ssl enabled. I would check the pg_hba.conf
> and the postgresql.conf for your ssl configuration.
Was there a change affecting client certificate handling a couple
of months ago? I recall SSL connections not working after one of
the updates I did. I could be misremembering, but I think the
problem was that the presence of $PGDATA/root.crt caused the backend
to require a client certificate, whereas before the update that
wasn't happening -- a client without a certificate could connect
as long as it spoke SSL and otherwise satisfied pg_hba.conf. The
solution was either to create a client certificate or to remove
$PGDATA/root.crt.
Hmmm...let's do a little test...
I have a server running 7.4.6 and 8.0.0rc2. Both have root.crt,
server.crt, and server.key; both have "ssl = true" in postgresql.conf;
and both have a "hostssl" line in pg_hba.conf to force SSL for
remote clients.
I have a remote client running 8.0.0rc2. I'll connect to each
server twice, once with a client certificate and once without
(the certificate is in $HOME/.postgresql/postgresql.{crt,key}):
1. Connect to 7.4.6 with certificate: success
2. Connect to 8.0.0rc2 with certificate: success
Now I'll remove the certificate files and attempt the connections
again:
3. Connect to 7.4.6 without certificate: success
4. Connect to 8.0.0rc2 without certificate: failure
For the failure in (4), the client gave the following error:
psql: could not open certificate file "/.../.postgresql/postgresql.crt": No such file or directory
The 8.0.0rc2 server logged the following:
could not accept SSL connection: peer did not return a certificate
The backend's behavior regarding client certificates when root.crt
exists appears to have changed between the 7.4 branch and the latest
8.0 release candidate. If I remember correctly, 8.0 behaved as 7.4
does (client certificates not required even when root.crt exists)
until a couple of months ago. Was that change intentional or
accidental?
--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | A. Mous | 2004-12-22 06:19:37 | Re: 8.0 Beta3 worked, RC1 didn't! |
| Previous Message | Uwe C. Schroeder | 2004-12-22 05:22:32 | Re: replicator |