From: | lejeczek <peljasz(at)yahoo(dot)co(dot)uk> |
---|---|
To: | |
Cc: | pgsql-admin(at)postgresql(dot)org |
Subject: | Re: Replication & TLS encryption - how? |
Date: | 2021-04-08 11:37:04 |
Message-ID: | 9d29a3c7-80de-4408-9197-e5ce1dd54a8e@yahoo.co.uk |
Views: | Whole Thread | Raw Message | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On 08/04/2021 11:27, Laurenz Albe wrote:
> On Thu, 2021-04-08 at 09:21 +0100, lejeczek wrote:
>> On 08/04/2021 03:59, Laurenz Albe wrote:
>>> On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote:
>>>> On 07/04/2021 17:36, Tom Lane wrote:
>>>>> lejeczek <peljasz(at)yahoo(dot)co(dot)uk> writes:
>>>>>> A novice here thus please go easy on me as I ask this - I
>>>>>> see docs/howtos all over the place be those either talk of
>>>>>> encryption or replication. I failed to find one which blend
>>>>>> these two concepts together - sure it's possible to pgSQL
>>>>>> replication encrypted, right?
>>>> Thanks. Would you know how '|clientcert=1' fits into the
>>>> equation?
>>>> With it present in pg_hba.conf pgSQL was not happy saying:
>>>>
>>>> FATAL: connection requires a valid client certificate.
>>> Then include "sslcert" in "primary_conninfo".
>>>
>>> You can use all the libpq connection parameters:
>>> https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
>> This below is what 'pg_basebackup' generated on the master
>> itself, master which already was configured for TLS/certs.
>>
>> primary_conninfo = 'user=replicator password=''9897''
>> channel_binding=prefer host=10.1.1.224 port=5432
>> sslmode=prefer sslcompression=0
>> ssl_min_protocol_version=TLSv1.2 gssencmode=prefer
>> krbsrvname=postgres target_session_attrs=any'
>>
>> And with master's:
>>
>> hostssl replication replicator 10.1.1.223/32 md5
>> clientcert=1
> I repeat: add "sslcert" to "primary_conninfo".
> Of course you will need a private key that matches the certificate.
I get what you were saying but I also wondered - when I
showed my "primary_conninfo" & pg_hba: why does replication
appear to work without the bits you mention and what is the
significance of 'clientcert=1' in all this.
>
>> I guess my question - as any novice's - would be: is
>> replication really 100% encrypted? How to confirm-test it?
> Look at the appropriate line in "pg_stat_ssl".
master/provider:
-[ RECORD 1 ]-+-----------------------
pid | 78705
ssl | t
version | TLSv1.3
cipher | TLS_AES_256_GCM_SHA384
bits | 256
compression | f
client_dn |
client_serial |
issuer_dn |
-[ RECORD 2 ]-+-----------------------
pid | 78867
ssl | f
version |
cipher |
bits |
compression |
client_dn |
client_serial |
issuer_dn |
standby:
-[ RECORD 1 ]-+--------
pid | 3119249
ssl | f
version |
cipher |
bits |
compression |
client_dn |
client_serial |
issuer_dn |
Does that confirm healthy & encrypted replication?
many thanks, L.
>> Lastly: is there anything more at 'pg_basebackup' stage user
>> can do to have 'configs' more ready, more complete for 'full
>> encryption' when starting with master already configured
>> with TLS?
>> I'm on 13.2 version.
> No, this always requires manual configuration.
>
> Yours,
> Laurenz Albe
From | Date | Subject | |
---|---|---|---|
Next Message | Yambu | 2021-04-09 08:07:16 | Swap being used on DB |
Previous Message | Laurenz Albe | 2021-04-08 10:27:17 | Re: Replication & TLS encryption - how? |