Skip site navigation (1) Skip section navigation (2)

Re: SslTests failures - resolved

From: Dave Cramer <pg(at)fastcrypt(dot)com>
To: Mikko Tiihonen <mikko(dot)tiihonen(at)nitorcreations(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: SslTests failures - resolved
Date: 2011-11-22 21:45:42
Message-ID: CADK3HHJMN-N2PkrD1ecwvSfJRQU1PV1cWS4wH26VBwnGR3JzJA@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-jdbc
Mikko,

Can you attach that file instead of including it inline ?


Dave Cramer

dave.cramer(at)credativ(dot)ca
http://www.credativ.ca




On Tue, Nov 22, 2011 at 4:04 PM, Mikko Tiihonen
<mikko(dot)tiihonen(at)nitorcreations(dot)com> wrote:
> On 11/22/2011 10:31 PM, Mikko Tiihonen wrote:
>>
>> On 11/22/2011 09:40 PM, Dave Cramer wrote:
>>>
>>> Mikko,
>>>
>>> You probably (like me) have a very permissive pg_hba.conf file. It
>>> needs to be restricted so that local databases need to connect via
>>> ssl. At least that was my experience.
>>
>> Thanks, that helped me further. I had to uncomment all lines starting with
>> "host all" or use the provided pg_hba.conf as is.
>>
>> Now I have only 28 failures:
>> sslcertgh[89]-disable*
>> sslcertbh[89]-disable*
>>
>> They fail with "Connection rejected: FATAL: certificate authentication
>> failed for user "jdbctest" on jdbc driver side
>> and "LOG: provided user name (jdbctest) and authenticated user name (test)
>> do not match" on server side.
>>
>> I cannot see where the authenticated user name "test" can come from unless
>> it is inside the certificates - in which case I'll update the
>> documentation to say that the postgres account for SSL tests must be named
>> "test".
>
> After running "createuser test -P" all ssl tests pass.
>
> Here is the final patch to the README to document what next user has to do
> to set up the tests.
>
> Index: certdir/README
> ===================================================================
> RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v
> retrieving revision 1.1
> diff -u -r1.1 README
> --- certdir/README      17 Nov 2011 11:27:50 -0000      1.1
> +++ certdir/README      22 Nov 2011 21:01:58 -0000
> @@ -40,5 +40,18 @@
>  #Common name is localhost, no password
>
>  The subdirectory server contains what should be copied to the PGDATA
> directory.
> +If you do not overwrite the pg_hba.conf then remember to comment out all
> lines
> +starting with "host all".
>
>  For the tests the sslinfo module must be installed into every database.
> +The ssl=on must be set in postgresql.conf
> +
> +The following command creates the databases and installs the sslinfo
> module.
> +
> +for db in hostssldb hostnossldb certdb hostsslcertdb; do
> +  createdb $db
> +  psql $db -c "create extension sslinfo"
> +done
> +
> +The username for connecting to postgres as specified in
> build.local.properties tests has to be "test".
> +
>
> --
> Sent via pgsql-jdbc mailing list (pgsql-jdbc(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-jdbc
>

In response to

pgsql-jdbc by date

Next:From: Mikko TiihonenDate: 2011-11-22 21:47:22
Subject: Optimize postgres protocol for fixed size arrays
Previous:From: alkampferDate: 2011-11-22 21:29:16
Subject: Re: bytea problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group