Re: ssl database connection problems...

Well, I cleared out other database problems and now I'm back to this
one...

When I run the OpenSSL command below I get the following output...

-bash-3.00$ /usr/local/ssl/bin/openssl verify -CAfile ./root.crt
testcert.pem
Error loading file ./root.crt
24149:error:02001002:system library:fopen:No such file or
directory:bss_file.c:126:fopen('./root.crt','r')
24149:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:
129:
24149:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose
purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
         sslclient       SSL client
         sslserver       SSL server
         nssslserver     Netscape SSL server
         smimesign       S/MIME signing
         smimeencrypt    S/MIME encryption
         crlsign         CRL signing
         any             Any Purpose
         ocsphelper      OCSP helper

The associated lines in my postgres log are these...
[[unknown]:[unknown]:2009-01-16 16:46:32 EST]LOG:  connection
received: host=129.79.36.241 port=33869
[[unknown]:[unknown]:2009-01-16 16:46:32 EST]LOG:  could not accept
SSL connection: cipher or hash unavailable
[postgres:walterc:2009-01-16 16:50:35 EST]LOG:  disconnection: session
time: 0:06:03.150 user=postgres database=walterc host=[local]

There is a line concerning ssl ciphers in the postgresql.conf file.
I'm wondering if that may be causing my problem.  What should this be
set to?

Carol

On Dec 29, 2008, at 9:36 PM, Ray Stell wrote:

> On Mon, Dec 29, 2008 at 04:23:30PM -0500, Carol Walter wrote:
>> "with openssl" when I initially configured the server.  Are there
>> other
>> things that need to be done to get openssl started on the database
>> server?
>> How can I diagnose this problem?
>>
>
> The files server.key, server.crt, root.crt, and root.crl are only
> examined
> during server start; so you must restart the server for changes in
> them
> to take effect.
>
> http://www.postgresql.org/docs/8.3/interactive/ssl-tcp.html
>
> It's been awhile since I played with this, but there's something
> about an
> environment var, PGSSLMODE.
>
> You can use openssl to verify the server/root ca correctness like
> this:
>
> openssl  verify -CAfile ./root.crt testcert.pem
>
> assuming openssl in the mix.