Re: Replication & TLS encryption - how?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 08/04/2021 03:59, Laurenz Albe wrote:
On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote:
On 07/04/2021 17:36, Tom Lane wrote:
lejeczek <peljasz@xxxxxxxxxxx> writes:
A novice here thus please go easy on me as I ask this - I
see docs/howtos all over the place be those either talk of
encryption or replication. I failed to find one which blend
these two concepts together - sure it's possible to pgSQL
replication encrypted, right?
Replication connections work exactly like normal sessions for
this purpose.  Just make sure you set any required parameters
in the standby's connection string.

			regards, tom lane


Thanks. Would you know how '|clientcert=1' fits into the
equation?
With it present in pg_hba.conf pgSQL was not happy saying:

FATAL:  connection requires a valid client certificate.
Then include "sslcert" in "primary_conninfo".

You can use all the libpq connection parameters:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS

Yours,
Laurenz Albe
This below is what 'pg_basebackup' generated on the master itself, master which already was configured for TLS/certs.

primary_conninfo = 'user=replicator password=''9897'' channel_binding=prefer host=10.1.1.224 port=5432 sslmode=prefer sslcompression=0 ssl_min_protocol_version=TLSv1.2 gssencmode=prefer krbsrvname=postgres target_session_attrs=any'

And with master's:

hostssl    replication     replicator      10.1.1.223/32 md5 clientcert=1

standby would not connect, but without 'clientcert=1' it seems to work.

I guess my question - as any novice's - would be: is replication really 100% encrypted? How to confirm-test it? Lastly: is there anything more at 'pg_basebackup' stage user can do to have 'configs' more ready, more complete for 'full encryption' when starting with master already configured with TLS?
I'm on 13.2 version.

many thanks, L.





[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux