Clever Geek Handbook

SSL connection error in PostgreSQL 8.0

We have an application that connects to PostgreSQL 8.0, 9.0 or 9.5 (different versions for different clients). We recently decided to add an SSL connection for more security. Everything seems to be good at 9.0 and 9.5, but not at 8.0.

Here's what I do to test the connection (I will compare the 8.0 and 9.0 settings as they are very similar). I am testing the connection on a local machine, this is done locally for testing purposes only, so don't tell me to disable ssl for localhost, this is not the answer I'm looking for.

I have prepared all the required certificates. Server side:

root.crt
server.crt
server.key

And I put these files in \ data folders on PostgreSQL 9.0 and 8.0 installations.

I have client certificates:

postgresql.crt
postgresql.key

They are located in the \ appdata \ Roaming \ postgresql folder on the same computer.

I edited postgresql.conf in 8.0 and 9.0 and set this option:

ssl = on

(I tried ssl = true too)

In pg_hba.conf I only have one connection option:

TYPE     DATABASE USER CIDR-ADDRESS   METHOD

9.0

hostssl   all    all   ::1/128   cert

8.0

hostssl   all    all   127.0.0.1/32 md5 clientcert=1

In 8.0 I use "md5 clientcert = 1" because there is no "cert" option (I also tried "trust" and "md5") and I also tried different addresses - :: 1/128, even "everything". The result is always the same - I cannot connect to the 8.0 server if the hostssl option is the only one available. I am getting this error:

SSL error: tlsv1 alet decrypt error FATAL: no pg_hba.conf entry for host "127.0.0.1", user "SU", database "template1", SSL off

I have no problem connecting to 9.0 (and up to 9.5). I am using PgAdmin III to try to connect because if I connect it I can also connect to the server with the app.

Does anyone have an idea why I can't connect over SSL to PostgresSQL 8.0?

+3


source to share


2 answers


Someone using PostgreSQL 8.0 doesn't care enough about security to care about SSL connections, right?

For example, since the database is subject to CVE-2013-1899 , any user with network access can write arbitrary files to the databases.



However, I guess the problem is that the 8.0 server is using an older version of OpenSSL, eg. one without a fix for CVE-2009-3555 and later versions of OpenSSL that contain a fix are deprecating the handshake.

You might consider upgrading OpenSSL on Server 8.0.

+1


source


Finally, I was able to connect SSL to PostgreSQL 8.0. When creating certificate files (* .crt) using OpenSSL, this option must be added to the command line commands:

-sha1



Otherwise, it is used as dafault SHA-256, but this algorithm is not supported in the old version of openssl that is included in PostgreSQL 8.0.

0


source






More articles:


All Articles