Re: Replication & TLS encryption - how?

From: lejeczek <peljasz(at)yahoo(dot)co(dot)uk>
To:
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Replication & TLS encryption - how?
Date: 2021-04-08 08:21:30
Message-ID: a217cf80-b5be-443f-f3df-445ee7b88b37@yahoo.co.uk
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-admin

On 08/04/2021 03:59, Laurenz Albe wrote:
> On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote:
>> On 07/04/2021 17:36, Tom Lane wrote:
>>> lejeczek <peljasz(at)yahoo(dot)co(dot)uk> writes:
>>>> A novice here thus please go easy on me as I ask this - I
>>>> see docs/howtos all over the place be those either talk of
>>>> encryption or replication. I failed to find one which blend
>>>> these two concepts together - sure it's possible to pgSQL
>>>> replication encrypted, right?
>>> Replication connections work exactly like normal sessions for
>>> this purpose. Just make sure you set any required parameters
>>> in the standby's connection string.
>>>
>>> regards, tom lane
>>>
>>>
>> Thanks. Would you know how '|clientcert=1' fits into the
>> equation?
>> With it present in pg_hba.conf pgSQL was not happy saying:
>>
>> FATAL: connection requires a valid client certificate.
> Then include "sslcert" in "primary_conninfo".
>
> You can use all the libpq connection parameters:
> https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
>
> Yours,
> Laurenz Albe
This below is what 'pg_basebackup' generated on the master
itself, master which already was configured for TLS/certs.

primary_conninfo = 'user=replicator password=''9897''
channel_binding=prefer host=10.1.1.224 port=5432
sslmode=prefer sslcompression=0
ssl_min_protocol_version=TLSv1.2 gssencmode=prefer
krbsrvname=postgres target_session_attrs=any'

And with master's:

hostssl    replication     replicator      10.1.1.223/32 md5
clientcert=1

standby would not connect, but without 'clientcert=1' it
seems to work.

I guess my question - as any novice's - would be: is
replication really 100% encrypted? How to confirm-test it?
Lastly: is there anything more at 'pg_basebackup' stage user
can do to have 'configs' more ready, more complete for 'full
encryption' when starting with master already configured
with TLS?
I'm on 13.2 version.

many thanks, L.

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message dbatoCloud Solution 2021-04-08 08:55:25 Unable to connect: FATAL: password authentication failed for user
Previous Message Laurenz Albe 2021-04-08 02:59:07 Re: Replication & TLS encryption - how?