Quick Links

Re: Need a wee bit more info on PostgreSQL's SSL security options

From:	Ray Stell <stellr(at)cns(dot)vt(dot)edu>
To:	Andreas <maps(dot)on(at)gmx(dot)net>
Cc:	pgsql-admin(at)postgresql(dot)org
Subject:	Re: Need a wee bit more info on PostgreSQL's SSL security options
Date:	2007-06-03 23:25:47
Message-ID:	20070603232547.GD29909@cns.vt.edu
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-admin

Read the entries listed here:
http://archives.postgresql.org/pgsql-admin/2006-10/msg00103.php

Everything came together for me with:
http://www.postgresql.org/docs/8.1/interactive/libpq-ssl.html

You might want to state your goals, because the config varies depending
on what you are trying to accomplish.

On Sun, Jun 03, 2007 at 12:20:25AM +0200, Andreas wrote:
> Hi,
>
> I've got it so far:
> Server-OS: Debian 3.1 sarge
> PostgreSQL: Debian's binary PG 8.1.8 (still the most recent version
> available)
>
> Following a tutorial (actually for OpenVPN as I didn't find any for PG
> that goes beyond what is found in the main docu) I created a CA, server
> and client certificate, updated postgresql.conf and pg_hba.conf, did a
> restart of PG and connected from a windows box with pgAdmin.
> NICE :)
>
> Now as far as I see, even though I have my postgresql.crt+key in place,
> I still have to provide username and password, right?
>
> The server rejects my connection attempt if I move postgresql.crt+key
> away. Thats to be expected.
> Can I further check the security of the server? The aim will be to have
> the port open to the Internet.
>
> How can I check that PG accepts only keys produced by my CA?
>
> What would be the correct "Common Name" of a client?
>
> I read that the client can maintain a file root.crt to check the
> identity of the db-server.
> Is this the root.crt that sits in PG's data-directory or is it the
> server.crt ?
>
> In the documentation there is a certificate-revocation-list-file mentioned.
> I suspect this is to revoke a formerly granted key that got lost or is
> owned by a person who shouldn't be allowed to access the dbms anymore.
> How is this CRL file set up?
>
>
> Is there a documentation, that covers those matters more deeply than
> chapter 16.8 and 20.1 of PG's main documentation?
> Especially the whole client-side topic is rather thin for a newbie.
>
>
> Regards
> Andreas
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly

In response to

Need a wee bit more info on PostgreSQL's SSL security options at 2007-06-02 22:20:25 from Andreas

Responses

Re: Need a wee bit more info on PostgreSQL's SSL security options at 2007-06-04 14:39:18 from Andreas

Browse pgsql-admin by date

	From	Date	Subject
Next Message	Simon Riggs	2007-06-04 07:49:47	Re: Attempt to re-archive existing WAL logsafterrestoringfrom backup
Previous Message	Andreas	2007-06-02 22:20:25	Need a wee bit more info on PostgreSQL's SSL security options