Search Postgresql Archives

Re: PQConnectdb SSL (sslmode): Is this a bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hi michael and tom,
(A) With LIBPQ.SO.3.2

After reading your response i copied the libpq.so.3.2 from the compiled source tree to /usr/lib where the version available was libpq.so.3.1.
I recreated the symbolic links and now the links are as below:
[root@localhost DBApi]# ls -l /usr/lib/libpq*
-rw-r--r--  1 postgres root 1480452 Mar 10  2004 /usr/lib/libpq.a
lrwxrwxrwx  1 postgres root      21 Aug 29 15:00 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.2
lrwxrwxrwx  1 postgres root      21 Aug 29 14:59 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.2
-rwxr-xr-x  1 postgres root  113988 Mar 10  2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x  1 postgres root  122177 Aug 26 12:55 /usr/lib/libpq.so.3.2

[root@localhost DBApi]#   ls -l /usr/local/pgsql/lib/libpq.so*
lrwxrwxrwx  1 root root     12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so -> libpq.so.3.2
lrwxrwxrwx  1 root root     12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3 -> libpq.so.3.2
-rwxr-xr-x  1 root root 122177 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3.2

[root@localhost DBApi]# which psql
/usr/bin/psql
[root@localhost DBApi]# psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
[root@localhost DBApi]# env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib
[root@localhost DBApi]#

The postmaster command is:
/usr/local/pgsql/bin/postmaster -D /usr/local/pgsql/data/ -i >logfile 2>&1 &

As "postgres" user:
-bash-2.05b$ which psql
/usr/local/pgsql/bin/psql
-bash-2.05b$ psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
-bash-2.05b$ env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib/
-bash-2.05b$

"test_k2" was a typo (sorry about that) ...

[root@localhost serv]# ldd ./bin/test_lib
        linux-gate.so.1 =>  (0x00a4e000)
        libpthread.so.0 => /lib/tls/libpthread.so.0 (0x003c8000)
        libpq.so.3 => /usr/lib/libpq.so.3 (0x008b4000)
        libstdc++.so.5 => /usr/lib/libstdc++.so.5 (0x00590000)
        libm.so.6 => /lib/tls/libm.so.6 (0x002b0000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x004e7000)
        libc.so.6 => /lib/tls/libc.so.6 (0x00193000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00176000)
        libssl.so.4 => /lib/libssl.so.4 (0x00c6a000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x0076f000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00caa000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x003ff000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00c53000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00758000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x006aa000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x006a5000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00714000)
        libdl.so.2 => /lib/libdl.so.2 (0x002d5000)
        libz.so.1 => /usr/lib/libz.so.1 (0x002db000)
[root@localhost serv]#

now i ran the program i had that has a conect command with ("hostaddr=169.254.59.60 dbname=dbm user=postgres sslmode=prefer") parameters.

[root@localhost serv]# ./bin/test_lib
Connection failed: could not open certificate file "/root/.postgresql/postgresql.crt": No such file or directory
ret=-1

I don't think i need to have ~/.postgresql/postgresql.crt on server. I thought that was the requirement only with the clients ... so, i think i shouldn't be getting this error. On server (as per documentation) i need to have the files in $PGDATA rather than in ~/.postgresql. Hence this question.

[root@localhost serv]# cat /var/lib/pgsql/logfile
LOG:  database system was interrupted at 2005-08-29 12:56:46 PDT
LOG:  checkpoint record is at 0/655FF5F4
LOG:  redo record is at 0/655FF5F4; undo record is at 0/0; shutdown FALSE
LOG:  next transaction ID: 15567; next OID: 11920206
LOG:  database system was not properly shut down; automatic recovery in progress
LOG:  record with zero length at 0/655FF630
LOG:  redo is not required
LOG:  database system is ready
LOG:  could not accept SSL connection: peer did not return a certificate
LOG:  could not accept SSL connection: peer did not return a certificate
LOG:  could not accept SSL connection: peer did not return a certificate
LOG:  could not accept SSL connection: peer did not return a certificate

Now with allow:
"hostaddr=169.254.59.60 dbname=dbm user=postgres sslmode=allow"
[root@localhost libk2]# ./bin/test_k2
 
ret=0
GOT CONNECTION
NAME                     AGE
----------------------------
me                      1
you                     2
they                    3
us                      4
[root@localhost libk2]#

(B) With LIBPQ.SO.3.1

[root@localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r--  1 postgres root 1480452 Mar 10  2004 /usr/lib/libpq.a
lrwxrwxrwx  1 postgres root      21 Aug 29 15:00 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.2
lrwxrwxrwx  1 postgres root      21 Aug 29 14:59 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.2
-rwxr-xr-x  1 postgres root  113988 Mar 10  2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x  1 postgres root  122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]# rm /usr/lib/libpq.so.3
rm: remove symbolic link `/usr/lib/libpq.so.3'? y
[root@localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so.3
[root@localhost DBApi]# rm /usr/lib/libpq.so
rm: remove symbolic link `/usr/lib/libpq.so'? y
[root@localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so
[root@localhost DBApi]# chown postgres /usr/lib/libpq*
[root@localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r--  1 postgres root 1480452 Mar 10  2004 /usr/lib/libpq.a
lrwxrwxrwx  1 postgres root      21 Aug 29 16:07 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.1
lrwxrwxrwx  1 postgres root      21 Aug 29 16:07 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.1
-rwxr-xr-x  1 postgres root  113988 Mar 10  2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x  1 postgres root  122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]#

doing nothing but above commands ... killing and restarting the postmaster ...
(1) sslmode=allow:
[root@localhost serv]# ./bin/test_lib
 ret=0
GOT CONNECTION
NAME                     AGE
----------------------------
me                      1
you                     2
they                    3
us                      4
[root@localhost serv]# vi src/test_lib.cpp
(2) sslmode=prefer
[root@localhost serv]# ./bin/test_lib
Connection failed: SSL error: sslv3 alert handshake failure
 
ret=-1
[root@localhost serv]#

This is what i am curious about:
(a) Where am i going wrong?
(b) Why are the error messages different?
(c) When LD_LIBRARY_PATH is set to /usr/local/pgsql/lib, then why does it matter if the links on /usr/lib/libpq.so are changed?

thanks,
vish

On 8/26/05, Michael Fuhr <mike@xxxxxxxx> wrote:
On Fri, Aug 26, 2005 at 01:57:36PM -0700, vishal saberwal wrote:
> I am not sure as to how i can find the version of libpq that i am
> using on my server. My test file has sslmode=prefer. This is what i
> did:
> (a)
> [root@localhost serv]# ./bin/test_lib
> Connection failed: SSL error: sslv3 alert handshake failure

I asked what appeared in the server's logs when this happened but
I don't see that information in your post.  Those log entries might
be useful, so please post them if you continue to have trouble.

> ret=-1
> [root@localhost serv]# ldd ./bin/test_lib
> ...
>         libpq.so.3 => /usr/lib/libpq.so.3 (0x002ee000)

What's the output of the following command?

  ls -l /usr/lib/libpq.so*

In my 7.4.8 installation I see the following:

  libpq.so -> libpq.so.3.1
  libpq.so.3 -> libpq.so.3.1
  libpq.so.3.1

As I recall, 8.0.1's libpq was libpq.so.3.2 (this was changed to
libpq.so.4.0 in 8.0.2), so the library's minor version should tell
you which version of PostgreSQL you're linked against.

I asked if the certificate works with psql, and if it does, for you
to show the output of "ldd psql".  I don't see that output -- does
psql work?  If so then please post its ldd output.

> [root@localhost libk2]# ./bin/test_k2
> Connection failed: could not open certificate file
> "/root/.postgresql/postgresql.crt": No such file or directory

What's test_k2?  It's looking for the certificate, although perhaps
not where you want it to.  What happens if you run this program as
a user that has a certificate, or if you install the certificate
and key in /root/.postgresql?  Also, I don't see test_k2's ldd
output -- is it linked against /usr/local/pgsql/lib/libpq.so.3?
If so, what's the output of the following command?

  ls -l /usr/local/pgsql/lib/libpq.so*

I'm wondering if you have PostgreSQL 7.4's libraries installed in
/usr/lib and 8.0.1's libraries in /usr/local/pgsql/lib.  Is that
what you've done?

--
Michael Fuhr


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux