Re: Ref: BUG#1321: SSL error: sslv3 alert handshake failure

From: "T(dot)J(dot) Ferraro" <tjtoocool(at)phreaker(dot)net>
To: vishal saberwal <vishalsaberwal(at)gmail(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Ref: BUG#1321: SSL error: sslv3 alert handshake failure
Date: 2005-08-24 17:36:13
Message-ID: 430CB00D.8010604@phreaker.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Vishal,

I can't recall but I think if you use 8.0.3 the error would offer
more explanation. Bug 1321 was related to SSL support on windows. The
error you are getting isn't a bug. It's basically telling you it can't
find the postgresql.key and postgresql.crt.

For creating SSL certs I've always used the MySQL example at
http://dev.mysql.com/doc/mysql/en/secure-create-certs.html

You can ignore the last part about setting up my.cnf. Instead of doing
the "replace ./demoCA $DIR -- $DIR/openssl.cnf" as they suggest just
manually open your openssl.cnf file and change the ./demoCA to the
location of your openssl.cnf file.

Once finished rename some files:

cacert.pem => root.crt
cakey.pem => root.key
server-key.pem => server.key
server-cert.pem => server.crt
client-key.pem => postgresql.key
client-cert.pem => postgresql.crt

Place the postgresql.* files into the ~/.postgresql directory on the
client side.

So that answers a).

b) The client shouldn't be looking for root.crt

c) That should do it. If you have any more questions feel free to email
me off the list and I'll see what else ya need help with.

T.J.

vishal saberwal wrote:

>hi,
>I was reading the post for BUG # 1321 (Date: Tue, 16 Nov 2004 13:30:33
>-0700) the error "sslv3 alert handshake failure" that i have
>encountered now.
>
>I have postgreSQL 8.0.1 and have OpenSSL 0.9.7a.
>I have read through the documentation and a few other sites.
>
>PG_HBA.CONF
>----------------------
>local all all trust
>host all all 127.0.0.1 255.255.255.255 trust
>host all all 192.168.0.0/16 trust
>hostssl dbm all 192.168.200.201 255.255.255.255 md5
>
>SERVER
>--------------
>(Fedora Core 2)
>
>Database =DBM, owner=dbmuser
>
>I have done the following steps:
>(a) openssl req -new -text -out server.req
>(b) openssl rsa -in privkey.pem -out server.key
>(c) rm privkey.pem
>(d) openssl req -x509 -in server.req -text -key server.key -out server.crt
>(e) chmod og-rwx server.key
>
>Above steps were from the documentation for 8.0. I tested the
>communication to a remote machine (hostssl'ed with md5 in pg_hba.conf)
>and the data (when viewed on ethereal) was encrypted.
>
>(f) ln -s server.crt root.crt
>(g) ln -s server.key root.key
>
>Now i have [root.crt, root.key, server.crt, server.key, server.req]
>files in /usr/local/pgsql/data (which is my $PGDATA) which are owned
>by "chown postgres:postgres".
>
>CLIENT
>------------
>psql -d dbm -c 'select * from hosts;' -U postgres -h 192.168.200.201
>
>Here's where i am stuck.
>I created the directory ~/.postgresql as it never existed on remote
>machine (Fedora core 3) as user root.
>
>I have tried stopping and restarting the postmaster.
>
>I have following Questions:
>(a) How do i create the ~/.postgresql/postgresql.crt and
>~/.postgresql/postgresql.key files (not sure about the commands)?
>(b) Where do i get the ~/.postgresql/root.crt from?
>(c) Is there anything else i am missing thats not in document or that
>i need to know?
>
>thanks,
>vish
>(Vishal Saberwal)
>
>---------------------------(end of broadcast)---------------------------
>TIP 2: Don't 'kill -9' the postmaster
>
>
>

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Carlos Chvez 2005-08-24 18:36:57 BUG #1845: pg_dump data only COPY wrong order
Previous Message vishal saberwal 2005-08-24 15:31:52 Ref: BUG#1321: SSL error: sslv3 alert handshake failure