Re: Replication & TLS encryption - how?

On 08/04/2021 03:59, Laurenz Albe wrote:
> On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote:
>> On 07/04/2021 17:36, Tom Lane wrote:
>>> lejeczek <peljasz(at)yahoo(dot)co(dot)uk> writes:
>>>> A novice here thus please go easy on me as I ask this - I
>>>> see docs/howtos all over the place be those either talk of
>>>> encryption or replication. I failed to find one which blend
>>>> these two concepts together - sure it's possible to pgSQL
>>>> replication encrypted, right?
>>> Replication connections work exactly like normal sessions for
>>> this purpose. Just make sure you set any required parameters
>>> in the standby's connection string.
>>>
>>> regards, tom lane
>>>
>>>
>> Thanks. Would you know how '|clientcert=1' fits into the
>> equation?
>> With it present in pg_hba.conf pgSQL was not happy saying:
>>
>> FATAL: connection requires a valid client certificate.
> Then include "sslcert" in "primary_conninfo".
>
> You can use all the libpq connection parameters:
> https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
>
> Yours,
> Laurenz Albe
This below is what 'pg_basebackup' generated on the master
itself, master which already was configured for TLS/certs.

primary_conninfo = 'user=replicator password=''9897''
channel_binding=prefer host=10.1.1.224 port=5432
sslmode=prefer sslcompression=0
ssl_min_protocol_version=TLSv1.2 gssencmode=prefer
krbsrvname=postgres target_session_attrs=any'

And with master's:

hostssl    replication     replicator      10.1.1.223/32 md5
clientcert=1

standby would not connect, but without 'clientcert=1' it
seems to work.

I guess my question - as any novice's - would be: is
replication really 100% encrypted? How to confirm-test it?
Lastly: is there anything more at 'pg_basebackup' stage user
can do to have 'configs' more ready, more complete for 'full
encryption' when starting with master already configured
with TLS?
I'm on 13.2 version.

many thanks, L.