Search Postgresql Archives

Re: Having issue with SSL.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Some new information.  I was able to connect to postgresql via ssl from a machine in the same subnet as the server.  Beyond port 5432 is there any other ports that need to be opened to access postgresql via ssl?  There is a firewall setup between the server and the clients that need access but we have only port 5432 opened.

From: Randy Needham <randomize17@xxxxxxxxxxx>
Sent: Wednesday, May 24, 2023 2:02 PM
To: pgsql-general@xxxxxxxxxxxxxxxxxxxx <pgsql-general@xxxxxxxxxxxxxxxxxxxx>
Subject: Having issue with SSL.
 
host - Windows Server 2022
postgresql - 14.8
pgAdmin 4 - 7.1
openssl - 3.1.0

So I have generated a key and csr file to be sent to a CA cert issuer InCommon.  I generated via openssl with the following command.

openssl.exe req -newkey rsa:2048 -nodes -keyout postgresql.key -out postgresql.csr

Downloaded the PKCS#7, PEM encoded version of the cert to use.  The following is the changes I did to postgresql.conf.  The x.x.x.x is the actual IP of the Server.

listen_addresses = 'x.x.x.x' 

ssl = on
#ssl_ca_file = ''
ssl_cert_file = './certs/postgresql.cer'
#ssl_crl_file = ''
#ssl_crl_dir = ''
ssl_key_file = './certs/postgresql.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off

Here is the current setup of pg_hba.conf with real IP's being x.x.x.x


# "local" is for Unix domain socket connections only
#local   all             all                                     scram-sha-256
# IPv4 local connections:
#host    all             all             127.0.0.1/32            scram-sha-256
#host    all             all             x.x.x.x/32       scram-sha-256
host    all             all             x.x.x.x/32        scram-sha-256
hostssl all             all             127.0.0.1/32            scram-sha-256
hostssl all             all             x.x.x.x/32       scram-sha-256
hostssl all             all             x.x.x.x/32        scram-sha-256
# IPv6 local connections:
# host    all             all             ::1/128                 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     scram-sha-256
host    replication     all             127.0.0.1/32            scram-sha-256
# host    replication     all             ::1/128                 scram-sha-256

The problem I am running into is my remote client can't connect via SSL to postgrsql.  I am able to from the server itself.  This is using pgAdmin 4 and making ssl mode as required.  Also ran psql.exe on the server to show that SSL was in fact working on the server. "SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)".  In the logs it is showing this when I try to connect via my remote client.

[2672] LOG:  could not accept SSL connection: An existing connection was forcibly closed by the remote host.

The error from pgAdmin 4 on the remote client is this.

connection failed: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request.  SSL SYSCALL error: Connection reset by peer (0x00002746/100054)

I have been trying to find a solution with no luck.  I am hoping that I might be missing something simple and someone will be able to see it.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux