Skip site navigation (1) Skip section navigation (2)

Re: BUG #5008: Server Startup Problem - When server is configured for SSL

From: Jalaj Negi <jalajsinghnegi(at)gmail(dot)com>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #5008: Server Startup Problem - When server is configured for SSL
Date: 2009-08-27 15:24:10
Message-ID: de7ef5c50908270824l670aef36w9b454df92e946893@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-bugs
Hi,
I tried by setting the requirement for certificates only on non-localhost
addresses. It works perfectly fine in that case.
Whats the solution in case of requesting client certificates on localhost
connection?

One temporary solution I found for above question is to set PGSSLCERT,
PGSSLKEY, PGSSLROOTCERT, PGSSLCRL
as system environment variables and let them point to valid client
certificate, key, root certificate and crl. Then I rebooted
my windows machine and database server started perfectly fine.
Is this solution fine or some fix is needed in code?

regards,
jalaj negi



========================================================
Magnus Hagander to me, pgsql-bugs
show details Aug 26 (1 day ago)

I think this indicates that pg_ctl is trying to connect to the
database just to see if it's running, but you have set it to require
SSL certificate on connections from localhost. Could that be so? If
so, try setting the requirement for certificates only on non-localhost
addresses and see if it starts up properly in that case.
========================================================


On Thu, Aug 27, 2009 at 12:30 PM, Magnus Hagander <magnus(at)hagander(dot)net>wrote:

> On Wed, Aug 26, 2009 at 22:47, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Magnus Hagander <magnus(at)hagander(dot)net> writes:
> >> On Wed, Aug 26, 2009 at 15:57, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> >>>> But that will still fail if the user has set it up to require a client
> >>>> certificate.
> >>>
> >>> But not till it gets to the pg_hba checks.  We might need to have some
> >
> >> How would that be different from what we have now? sslmode=prefer will
> >> still allow both ssl and non-ssl connection. It won't kick you out
> >> until you reach the hba processing, will it?
> >
> > Hm, will it retry if the ssl setup step fails?  If so it'd be all right,
> > but it's still a waste of cycles ...
>
> Yes, that's the difference between prefer and require.
>
> I think the main issue is that test_postmaster_connection() only
> accepts two cases - successful login and password prompt. It would
> have similar issues with say an ident mismatch, or loopback
> connections configured for kerberos.
>
>
> --
>  Magnus Hagander
>  Me: http://www.hagander.net/
>  Work: http://www.redpill-linpro.com/
>

In response to

Responses

pgsql-bugs by date

Next:From: Magnus HaganderDate: 2009-08-27 15:27:05
Subject: Re: BUG #4996: postgres.exe memory consumption keeps going up
Previous:From: WANGRUNGVICHAISRI, SHIVESHDate: 2009-08-27 15:06:20
Subject: Re: BUG #4996: postgres.exe memory consumption keeps going up

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group