Skip site navigation (1) Skip section navigation (2)

Re: PostgreSQL with SSL

From: Jose Berardo <berardo(at)especializa(dot)com(dot)br>
To: Martin Münstermann <mmuenst(at)gmx(dot)de>, pgsql-admin(at)postgresql(dot)org, Bruce Momjian <bruce(at)momjian(dot)us>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: PostgreSQL with SSL
Date: 2010-04-16 21:08:17
Message-ID: j2u9009a4451004161408z294fee70oc32b24e843c09a3@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-admin
Hello,

On Fri, Apr 16, 2010 at 4:34 AM, "Martin Münstermann" <mmuenst(at)gmx(dot)de> wrote:
> Hello.
>
>> > > I'm trying to use the java keytool in place of openssl.
>> > > - I believe that it not possible to start the PostgreSQL server
>> without
>> > > openssl (and ssl-dev package in debian), is it correct?
>> >
>> > Yes, I don't think the java keytool works.
>>
>> Oh, the documentation defeated me twice. The server reads the openssl
>> configuration at start time too.
>> The keytool may be used only to generate the key pair and the certificate,
>> but it can not export the private key from its keystore. You need another
>> tool or to write a Java code to do that.
>
> OpenSSL has two ways to store private keys:
> 1. an own proprietary format
> 2. standard PKCS#8
>
> The default as used in the postgresql doc is to produce the proprietary format.
> Don't know if PostgreSQL can handle PKCS#8 keys.
>
> If you'd like to check, here is a command to produce PKCS#8:
> openssl pkcs8 -in server.key  -out server.p8 -topk8

I've test your suggestion, but it didn't work. Results bellow:

$ Enter PEM pass phrase:
FATAL:  could not load private key file "server.key": problems getting password

As Tom Laine has explained, the service don't work with encrypted keys
because it would need to ask the administrator for the password (like
above), and would not start until he gives it. The server would need
to keep the clear key in memory for every connection. Anyway, would
still be possible one attacker obtain the key.

>
> Jose, writing a tutorial sounds promising. If I can be of any help, just contact me.

Thanks Martin, I'm writing in portuguese, but I will ask a friend for
help me in translation to english.
When it's done, I will send to you. Any consideration will be extreme welcome.

>
> Martin
>
> --
> GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
> Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
>



-- 
Regards,

Jose Berardo
Especializa Treinamentos
www.especializa.com.br
+55 81 3465.0032

In response to

pgsql-admin by date

Next:From: Scott MarloweDate: 2010-04-16 23:19:47
Subject: Re: Vacuum Full (PG 8.1) - Urgent help needed - Cancel & transaction "liberation"
Previous:From: Alexandre LeclercDate: 2010-04-16 20:57:34
Subject: Re: Vacuum Full (PG 8.1) - Urgent help needed - Cancel & transaction "liberation"

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group