Re: PostgreSQL with SSL

Hello.

As I have told, I'm new on using PostgreSQL over SSL connections.
I have worked with SSL before, but I'm really far from being an expert about
it.

Sorry for asking you before read all the documentation, I have looked for It
in wrong pages and didn't find anything. After writing, I read a lot about
this subject because I'm a teacher, PostgreSQL enthusiastic and I've started
to write a tutorial about SSL.

Maybe my questions are the same of someone, so let me talk about them (thank
you Bruce for the answers):

> > - There is any parameter to configure the path (and name) to certificate
> > (server.crt) and private key (server.key) like hba_file or ident_file in
> > postgresql.conf or any other?
>
> No, we only allow those fixed file names.

Sorry, the documentation told me this just after my precipitated question.

> > - Is it possible to store the server.key in a ciphered file with
triple-des
> > and configure the PostgreSQL to use a simetric-key to open it when it's
> > necessary?
> > Maybe I'm wrong but my server only works with I plain private key.
>
> No.

I believe that it may be a good idea, it may bring another security level,
I'm wrong?
Just saving the private key file inside the cluster with no privilegies for
other users (the server suggests 0600 mask for it) is still sufficient to
protected the key?
I believe that may be interesting the server, at start time, when reading
the key, asks the administrator the password (e.g. a triple-des simetric
key) the same way that OpenSSL asks when we need to generate de public key
or generate crt or csr.
What do you think, Bruce?

> > I'm trying to use the java keytool in place of openssl.
> > - I believe that it not possible to start the PostgreSQL server without
> > openssl (and ssl-dev package in debian), is it correct?
>
> Yes, I don't think the java keytool works.

Oh, the documentation defeated me twice. The server reads the openssl
configuration at start time too.
The keytool may be used only to generate the key pair and the certificate,
but it can not export the private key from its keystore. You need another
tool or to write a Java code to do that.

> > - When I create keys and certificates with keytool, it creates a java
> > keystore to store everything. I know how to export the certificate but I
> > don't know how to export the private key and when I use the keytool
> > certificate, the server crashes with this message:
> >
> > FATAL: could not load server certificate file "server.crt": no start
line
> >
> > Sorry about too many questions, but anyone can help me to understand
more
> > about ssl in PostgreSQL?
>
> Have you read the documentation about creating a server key?
>
> http://www.postgresql.org/docs/8.4/static/ssl-tcp.html

Thank you Bruce, but this question was about the format of the certificate
generated by keytool.
I was missing the -rfc option when exporting the certificate.

Please friends, let me write an example here:

keytool -exportcert -alias myalias -file mycertificate.crt -keystore
mykeystore.jks -storepass mypass -rfc

With the -rfc, the keytool prints out the certificate in accordance with the
RFC 1421.

Martin, thank you too.
The PEM format is exactly the base64 encoded format in this RFC.

Thanks a lot,

--
Jose Berardo

On Thu, Apr 15, 2010 at 4:45 AM, "Martin Münstermann" <mmuenst(at)gmx(dot)de>wrote:

> Hello.
>
> > > don't know how to export the private key and when I use the keytool
> > > certificate, the server crashes with this message:
> > >
> > > FATAL: could not load server certificate file "server.crt": no start
> > line
> > >
> > > Sorry about too many questions, but anyone can help me to understand
> > more
> > > about ssl in PostgreSQL?
> >
> > Have you read the documentation about creating a server key?
> >
> > http://www.postgresql.org/docs/8.4/static/ssl-tcp.html
>
> It is important that the server.crt and server.key files are in so-called
> PEM format.
> So they have to be text files and look like:
>
> -----BEGIN CERTIFICATE-----
> <some base64 encoded data>
> -----END CERTIFICATE-----
>
> and
>
> -----BEGIN RSA PRIVATE KEY-----
> <some base64 encoded data>
> -----END RSA PRIVATE KEY-----
>
> This is the default format produced by openssl.
> The private key format is also openssl-specific, so probably you are out of
> luck with keytool.
>
> Regards,
> Martin
>
> --
> GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
>

--
Atenciosamente,

Jose Berardo
Especializa Treinamentos
www.especializa.com.br
+55 81 3465.0032