On Tue, May 10, 2011 at 6:09 AM, zhong ming wu <mr.z.m.wu@xxxxxxxxx> wrote: > On Mon, May 9, 2011 at 10:50 PM, Merlin Moncure <mmoncure@xxxxxxxxx> wrote: > >> Now manybe *I'm* a little confused. Are you connecting to the write >> port (stunnel's secure port)? As I understand it, the stunnel pgsql >> protocol is such that the client side libpq application can connect to >> stunnel which unwraps the encrypted data and connects w/o ssl to >> postgres. From the server's point of view, the connection should be >> unencrypted and from the client's it should remain encrypted. >> >> I can think of two reasons why you would want to do this: >> *) pgbouncer, or a some other connection pooler type piece of software >> that does not support ssl >> *) for loading purposes you are trying to keep all >> encryption/decryption off the main server. >> >> merlin >> > > > My client connects to the stunnel'l local port. Come to think of it.. > assuming that the line > > "SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)" > > comes from psql I am getting the expected behavior. Because psql > connects to stunnel local port unencrypted. stunnel encrypts the data > and sends it to the postgres server. The server accepts the > connection because it is coming in encrypted. yup, you're right. I always set it up the other way so I just assumed that's what you were doing. > I would also be nice to find out from the pg server that the > communication is encrypted. I just don't see a way to find it out > except from the following two facts 1) my server is configured to be > just so 2) the output of 'ps' which tells me how the connection is > coming in. 100% agree. maybe a column in pg_stat_activity showing the encryption protocol? merlin -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general