SEO

Hi,

I tried sending this mail to pgadmin, but nobody could find a solution
to my problem. So I changed my problem into a suggestion and I was
hoping I am at the right place for it here :-)

-------- Original Message --------
Subject: Postgres using SSL connections
Date: Thu, 25 Aug 2005 20:27:18 +0200
From: Simon de Hartog <simon.postgresql@dehartog.nl>
To: pgsql-admin@postgresql.org

Hi,

I want to have Postgres use an SSL certificate for secure access by
clients over the internet. I have a server that runs PostgreSQL and I
have created my own Certificate Authority. I now have a certificate and
corresponding private key in /etc/ssl. This pair is used without
problems by:
- Apache 2
- LDAP server
- Sendmail
- stunnel
- VPN software

I have added all the users these applications run as to a group called
"ssl". Permissions on the private key are owned by root, group ssl,
protection rw-r----- (640). When I tell PostgreSQL to use this key with
certificate (by using symlinks from server.key and server.crt in the
postgreSQL data dir) it tells me that owner and permissions are wrong.

How can I use this certificate and key for PostgreSQL (without copying
the key and changing owner and permissions etc, because then the whole
idea of centrally coordinated certificates is gone)?

I checked the archives. A lot of comments considering the unclear error
messages in previous versions, this has been solved IMHO. Also some
comments and patches to remove these checks, concluded by comments that
they must remain. All in all, it still doesn't work for my situation.

So my suggestion is:

Would it be nice to have a configuration-file option to disable these
checks? Maybe possibly even configurable locations of these files,
instead of the defaults in the PostgreSQL data dir?

Kind regards and thanks in advance,

Simon de Hartog

P.S. If you would like a patch, do you want it against 8.0.x or 8.1 beta
(or both)?
--
"From every point in life, there's a road that leads to where you
want to go."

E: simon <at-sign> dehartog <point> nl
W: http://simon.dehartog.nl/
P: +31-6-15094709
M: simon_net <at-sign> rootsr <point> com
I: 8714776
K: http://www.rootsr.com/simon.crt

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

Simon de Hartog <simon.postgresql@dehartog.nl> writes:
> I have added all the users these applications run as to a group called
> "ssl". Permissions on the private key are owned by root, group ssl,
> protection rw-r----- (640). When I tell PostgreSQL to use this key with
> certificate (by using symlinks from server.key and server.crt in the
> postgreSQL data dir) it tells me that owner and permissions are wrong.

> How can I use this certificate and key for PostgreSQL (without copying
> the key and changing owner and permissions etc, because then the whole
> idea of centrally coordinated certificates is gone)?

You can't, and I don't see why it's a good idea to use the same key for
different server applications.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

On Mon, Sep 05, 2005 at 09:03:06PM +0200, Simon de Hartog wrote:

> I have added all the users these applications run as to a group called
> "ssl". Permissions on the private key are owned by root, group ssl,
> protection rw-r----- (640). When I tell PostgreSQL to use this key with
> certificate (by using symlinks from server.key and server.crt in the
> postgreSQL data dir) it tells me that owner and permissions are wrong.
>
> How can I use this certificate and key for PostgreSQL (without copying
> the key and changing owner and permissions etc, because then the whole
> idea of centrally coordinated certificates is gone)?

Did you try using a hardlink instead of a symlink?

--
Alvaro Herrera -- Valdivia, Chile Architect, www.EnterpriseDB.com
"Ninguna manada de bestias tiene una voz tan horrible como la humana" (Orual)

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

On Mon, Sep 05, 2005 at 03:27:01PM -0400, Alvaro Herrera wrote:
> On Mon, Sep 05, 2005 at 09:03:06PM +0200, Simon de Hartog wrote:
>
> > I have added all the users these applications run as to a group called
> > "ssl". Permissions on the private key are owned by root, group ssl,
> > protection rw-r----- (640). When I tell PostgreSQL to use this key with
> > certificate (by using symlinks from server.key and server.crt in the
> > postgreSQL data dir) it tells me that owner and permissions are wrong.
>
> Did you try using a hardlink instead of a symlink?

Huh, sorry, of course it doesn't work.

--
Alvaro Herrera -- Valdivia, Chile Architect, www.EnterpriseDB.com
Syntax error: function hell() needs an argument.
Please choose what hell you want to involve.

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
> On Mon, Sep 05, 2005 at 09:03:06PM +0200, Simon de Hartog wrote:
>> How can I use this certificate and key for PostgreSQL (without copying
>> the key and changing owner and permissions etc, because then the whole
>> idea of centrally coordinated certificates is gone)?

> Did you try using a hardlink instead of a symlink?

Won't help --- he's complaining about the stat() test on ownership and
permissions of the private key file (in be-secure.c). stat looks
through symlinks, so the answer will be the same.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly