Re: ssl database connection problems...

On Fri, Jan 23, 2009 at 02:04:21PM -0500, Carol Walter wrote:
>>>
>>> ssl_ciphers 'ALL:!ADH:!LOW:@STRENGTH'

I don't understand this syntax, is it described somewhere to your
knowledge. The doc say to see the openssl docs, so I went
fishing there. Maybe one of these will work:

> openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
...
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

> Yes, This says "All but ADH and low." I changed this line to just be
> ssl_ciphers = 'ALL' . Stopped, started, and re-ran and it still doesn't
> connect. The messages in the log file say "cipher or hash unavailable".

maybe that means the ALL I guessed is wrong, but idunno, the documentation
doesn't say what that string means.

> Since the files of the ciphers are definitely on the system, this suggests
> that either postgres doesn't know where to find them or the permission on
> them are wrong.

it should, seems like that would have been handled in your compile pointing to
the libs.

> The default is
> #ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL

I don't know what this means, these are not listed in the openssl docs
that is pointed to. Guess we could go read the pg source and figure
out what they do with this config line, maybe. We need a clue here...

> how to tell postgres which set of cipher files to use. It's in the OpenSSL
> path, but not the complete path.

I thinking that is covered in the compile and you are not using the config
line to pgs liking, but that's just a guess.

Sorry, I can't try this stuff myself, buried in Oracle cruft right now.