Re: SSL Connection help, pls...

On Wed, 27 Jan 2010, Tom Lane wrote:
>
> Richard Troy <rtroy@ScienceTools.com> writes:
> > Although I think I've got everything configured correctly, I'm not getting
> > ssl encrypted connections to be accepted. Also, havent' figured out how to
> > tell psql to try _only_ an ssl-type connection.
>
> I don't know the answer to your problems offhand, but a few suggestions:
>
> * Read the version of the docs corresponding to your server version,
>   not earlier or later ones.  This stuff changes.

Thanks, Tom, I hadn't thought any of this had changed since before version
7, or at the least had been pretty consistent through v 8, but that's a
silly assumption on my part!

> * Look in the postmaster log to see what gets logged during a failed
>   connection attempt.

Of course! -duh!-

Depending on which test, I get either:

LOG:  could not accept SSL connection: sslv3 alert certificate unknown
LOG:  could not accept SSL connection: peer did not return a certificate

...which seems to (strongly) suggest that it's requiring not only an
encrypted connection but that the user present a certificate.

> * I do know about try-only-SSL, it's driven by an environment variable:
>   export PGSSLMODE=require

Good to know.

> * The docs only cover SSL in the context of psql and other libpq-based
>   clients.  For JDBC you should probably ask on pgsql-jdbc.  But try to
>   get psql working first.

Yes, I agree.

I have been thinking about updating all my systems to the same (latest)
version - perhaps it's time to do that and then see where things are.

Thanks for your suggestions, Tom,
Richard


--
Richard Troy, Chief Scientist
Science Tools Corporation
510-717-6942
rtroy@ScienceTools.com, http://ScienceTools.com/