Re: ssl database connection problems...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Well, I cleared out other database problems and now I'm back to this one... 

When I run the OpenSSL command below I get the following output...
-bash-3.00$ /usr/local/ssl/bin/openssl verify -CAfile ./root.crt testcert.pem 
Error loading file ./root.crt
24149:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('./root.crt','r') 24149:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c: 129: 24149:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... 
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper

The associated lines in my postgres log are these...
[[unknown]:[unknown]:2009-01-16 16:46:32 EST]LOG: connection received: host=129.79.36.241 port=33869 [[unknown]:[unknown]:2009-01-16 16:46:32 EST]LOG: could not accept SSL connection: cipher or hash unavailable [postgres:walterc:2009-01-16 16:50:35 EST]LOG: disconnection: session time: 0:06:03.150 user=postgres database=walterc host=[local]
There is a line concerning ssl ciphers in the postgresql.conf file. I'm wondering if that may be causing my problem. What should this be set to? 

Carol

On Dec 29, 2008, at 9:36 PM, Ray Stell wrote:


On Mon, Dec 29, 2008 at 04:23:30PM -0500, Carol Walter wrote:
"with openssl" when I initially configured the server. Are there other things that need to be done to get openssl started on the database server? 
How can I diagnose this problem?
The files server.key, server.crt, root.crt, and root.crl are only examined during server start; so you must restart the server for changes in them 
to take effect.

http://www.postgresql.org/docs/8.3/interactive/ssl-tcp.html
It's been awhile since I played with this, but there's something about an 
environment var, PGSSLMODE.

You can use openssl to verify the server/root ca correctness like
this:

openssl  verify -CAfile ./root.crt testcert.pem

assuming openssl in the mix.



--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux