Re: Replication & TLS encryption - how?

On 08/04/2021 11:27, Laurenz Albe wrote:
> On Thu, 2021-04-08 at 09:21 +0100, lejeczek wrote:
>> On 08/04/2021 03:59, Laurenz Albe wrote:
>>> On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote:
>>>> On 07/04/2021 17:36, Tom Lane wrote:
>>>>> lejeczek <peljasz(at)yahoo(dot)co(dot)uk> writes:
>>>>>> A novice here thus please go easy on me as I ask this - I
>>>>>> see docs/howtos all over the place be those either talk of
>>>>>> encryption or replication. I failed to find one which blend
>>>>>> these two concepts together - sure it's possible to pgSQL
>>>>>> replication encrypted, right?
>>>> Thanks. Would you know how '|clientcert=1' fits into the
>>>> equation?
>>>> With it present in pg_hba.conf pgSQL was not happy saying:
>>>>
>>>> FATAL: connection requires a valid client certificate.
>>> Then include "sslcert" in "primary_conninfo".
>>>
>>> You can use all the libpq connection parameters:
>>> https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
>> This below is what 'pg_basebackup' generated on the master
>> itself, master which already was configured for TLS/certs.
>>
>> primary_conninfo = 'user=replicator password=''9897''
>> channel_binding=prefer host=10.1.1.224 port=5432
>> sslmode=prefer sslcompression=0
>> ssl_min_protocol_version=TLSv1.2 gssencmode=prefer
>> krbsrvname=postgres target_session_attrs=any'
>>
>> And with master's:
>>
>> hostssl replication replicator 10.1.1.223/32 md5
>> clientcert=1
> I repeat: add "sslcert" to "primary_conninfo".
> Of course you will need a private key that matches the certificate.
I get what you were saying but I also wondered - when I
showed my "primary_conninfo" & pg_hba: why does replication
appear to work without the bits you mention and what is the
significance of 'clientcert=1' in all this.
>
>> I guess my question - as any novice's - would be: is
>> replication really 100% encrypted? How to confirm-test it?
> Look at the appropriate line in "pg_stat_ssl".
master/provider:
-[ RECORD 1 ]-+-----------------------
pid           | 78705
ssl           | t
version       | TLSv1.3
cipher        | TLS_AES_256_GCM_SHA384
bits          | 256
compression   | f
client_dn     |
client_serial |
issuer_dn     |
-[ RECORD 2 ]-+-----------------------
pid           | 78867
ssl           | f
version       |
cipher        |
bits          |
compression   |
client_dn     |
client_serial |
issuer_dn     |

standby:
-[ RECORD 1 ]-+--------
pid           | 3119249
ssl           | f
version       |
cipher        |
bits          |
compression   |
client_dn     |
client_serial |
issuer_dn     |

Does that confirm healthy & encrypted replication?

many thanks, L.
>> Lastly: is there anything more at 'pg_basebackup' stage user
>> can do to have 'configs' more ready, more complete for 'full
>> encryption' when starting with master already configured
>> with TLS?
>> I'm on 13.2 version.
> No, this always requires manual configuration.
>
> Yours,
> Laurenz Albe