Re: PQConnectdb SSL (sslmode): Is this a bug

hi michael and tom,
(A) With LIBPQ.SO.3.2

After reading your response i copied the libpq.so.3.2 from the compiled
source tree to /usr/lib where the version available was libpq.so.3.1.
I recreated the symbolic links and now the links are as below:
[root(at)localhost DBApi]# ls -l /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 15:00 /usr/lib/libpq.so ->
/usr/lib/libpq.so.3.2
lrwxrwxrwx 1 postgres root 21 Aug 29 14:59 /usr/lib/libpq.so.3 ->
/usr/lib/libpq.so.3.2
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2

[root(at)localhost DBApi]# ls -l /usr/local/pgsql/lib/libpq.so*
lrwxrwxrwx 1 root root 12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so ->
libpq.so.3.2
lrwxrwxrwx 1 root root 12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3 ->
libpq.so.3.2
-rwxr-xr-x 1 root root 122177 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3.2

[root(at)localhost DBApi]# which psql
/usr/bin/psql
[root(at)localhost DBApi]# psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
[root(at)localhost DBApi]# env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib
[root(at)localhost DBApi]#

The postmaster command is:
/usr/local/pgsql/bin/postmaster -D /usr/local/pgsql/data/ -i >logfile 2>&1 &

As "postgres" user:
-bash-2.05b$ which psql
/usr/local/pgsql/bin/psql
-bash-2.05b$ psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
-bash-2.05b$ env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib/
-bash-2.05b$

"test_k2" was a typo (sorry about that) ...

[root(at)localhost serv]# ldd ./bin/test_lib
linux-gate.so.1 => (0x00a4e000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x003c8000)
libpq.so.3 => /usr/lib/libpq.so.3 (0x008b4000)
libstdc++.so.5 => /usr/lib/libstdc++.so.5 (0x00590000)
libm.so.6 => /lib/tls/libm.so.6 (0x002b0000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x004e7000)
libc.so.6 => /lib/tls/libc.so.6 (0x00193000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00176000)
libssl.so.4 => /lib/libssl.so.4 (0x00c6a000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x0076f000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00caa000)
libresolv.so.2 => /lib/libresolv.so.2 (0x003ff000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00c53000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00758000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x006aa000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x006a5000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00714000)
libdl.so.2 => /lib/libdl.so.2 (0x002d5000)
libz.so.1 => /usr/lib/libz.so.1 (0x002db000)
[root(at)localhost serv]#

now i ran the program i had that has a conect command with ("hostaddr=
169.254.59.60 <http://169.254.59.60> dbname=dbm user=postgres
sslmode=prefer") parameters.

[root(at)localhost serv]# ./bin/test_lib
Connection failed: could not open certificate file
"/root/.postgresql/postgresql.crt": No such file or directory
ret=-1

I don't think i need to have ~/.postgresql/postgresql.crt on server. I
thought that was the requirement only with the clients ... so, i think i
shouldn't be getting this error. On server (as per documentation) i need to
have the files in $PGDATA rather than in ~/.postgresql. Hence this question.

[root(at)localhost serv]# cat /var/lib/pgsql/logfile
LOG: database system was interrupted at 2005-08-29 12:56:46 PDT
LOG: checkpoint record is at 0/655FF5F4
LOG: redo record is at 0/655FF5F4; undo record is at 0/0; shutdown FALSE
LOG: next transaction ID: 15567; next OID: 11920206
LOG: database system was not properly shut down; automatic recovery in
progress
LOG: record with zero length at 0/655FF630
LOG: redo is not required
LOG: database system is ready
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate

Now with allow:
"hostaddr=169.254.59.60 <http://169.254.59.60> dbname=dbm user=postgres
sslmode=allow"
[root(at)localhost libk2]# ./bin/test_k2

ret=0
GOT CONNECTION
NAME AGE
----------------------------
me 1
you 2
they 3
us 4
[root(at)localhost libk2]#

(B) With LIBPQ.SO.3.1

[root(at)localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 15:00 /usr/lib/libpq.so ->
/usr/lib/libpq.so.3.2
lrwxrwxrwx 1 postgres root 21 Aug 29 14:59 /usr/lib/libpq.so.3 ->
/usr/lib/libpq.so.3.2
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root(at)localhost DBApi]# rm /usr/lib/libpq.so.3
rm: remove symbolic link `/usr/lib/libpq.so.3'? y
[root(at)localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so.3
[root(at)localhost DBApi]# rm /usr/lib/libpq.so
rm: remove symbolic link `/usr/lib/libpq.so'? y
[root(at)localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so
[root(at)localhost DBApi]# chown postgres /usr/lib/libpq*
[root(at)localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 16:07 /usr/lib/libpq.so ->
/usr/lib/libpq.so.3.1
lrwxrwxrwx 1 postgres root 21 Aug 29 16:07 /usr/lib/libpq.so.3 ->
/usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root(at)localhost DBApi]#

doing nothing but above commands ... killing and restarting the postmaster
...
(1) sslmode=allow:
[root(at)localhost serv]# ./bin/test_lib
ret=0
GOT CONNECTION
NAME AGE
----------------------------
me 1
you 2
they 3
us 4
[root(at)localhost serv]# vi src/test_lib.cpp
(2) sslmode=prefer
[root(at)localhost serv]# ./bin/test_lib
Connection failed: SSL error: sslv3 alert handshake failure

ret=-1
[root(at)localhost serv]#

This is what i am curious about:
(a) Where am i going wrong?
(b) Why are the error messages different?
(c) When LD_LIBRARY_PATH is set to /usr/local/pgsql/lib, then why does it
matter if the links on /usr/lib/libpq.so are changed?

thanks,
vish

On 8/26/05, Michael Fuhr <mike(at)fuhr(dot)org> wrote:
>
> On Fri, Aug 26, 2005 at 01:57:36PM -0700, vishal saberwal wrote:
> > I am not sure as to how i can find the version of libpq that i am
> > using on my server. My test file has sslmode=prefer. This is what i
> > did:
> > (a)
> > [root(at)localhost serv]# ./bin/test_lib
> > Connection failed: SSL error: sslv3 alert handshake failure
>
> I asked what appeared in the server's logs when this happened but
> I don't see that information in your post. Those log entries might
> be useful, so please post them if you continue to have trouble.
>
> > ret=-1
> > [root(at)localhost serv]# ldd ./bin/test_lib
> > ...
> > libpq.so.3 => /usr/lib/libpq.so.3 (0x002ee000)
>
> What's the output of the following command?
>
> ls -l /usr/lib/libpq.so*
>
> In my 7.4.8 installation I see the following:
>
> libpq.so -> libpq.so.3.1
> libpq.so.3 -> libpq.so.3.1
> libpq.so.3.1
>
> As I recall, 8.0.1's libpq was libpq.so.3.2 (this was changed to
> libpq.so.4.0 in 8.0.2), so the library's minor version should tell
> you which version of PostgreSQL you're linked against.
>
> I asked if the certificate works with psql, and if it does, for you
> to show the output of "ldd psql". I don't see that output -- does
> psql work? If so then please post its ldd output.
>
> > [root(at)localhost libk2]# ./bin/test_k2
> > Connection failed: could not open certificate file
> > "/root/.postgresql/postgresql.crt": No such file or directory
>
> What's test_k2? It's looking for the certificate, although perhaps
> not where you want it to. What happens if you run this program as
> a user that has a certificate, or if you install the certificate
> and key in /root/.postgresql? Also, I don't see test_k2's ldd
> output -- is it linked against /usr/local/pgsql/lib/libpq.so.3?
> If so, what's the output of the following command?
>
> ls -l /usr/local/pgsql/lib/libpq.so*
>
> I'm wondering if you have PostgreSQL 7.4's libraries installed in
> /usr/lib and 8.0.1's libraries in /usr/local/pgsql/lib. Is that
> what you've done?
>
> --
> Michael Fuhr
>