I have configured
ssl = on
in postgresql.conf
(and installed a certificate etcetera). Does this ensure that all clients will always connect over SSL?Using Client Certificates. To require the client to supply a trusted certificate, place certificates of the root certificate authorities (CAs) you trust in a file in the data directory, set the parameter sslcafile in postgresql.conf to the new file name, and add the authentication option clientcert=1 to the appropriate hostssl line(s) in pghba.conf. Mar 30, 2015 There is a distressing lack of info out there about configuring the postgresql JDBC driver to present a client certificate to a database server when using SSL. It appears that checking the server certificate works out of the box, but not the client certificate. In this post I am using.
(I.e. does
ssl = on
it make it impossible to connect without SSL encryption?)Are there other ways to ensure that all clients always connect over SSL/TLS?
Kind regards, KajMagnus
KajMagnusKajMagnus44422 gold badges77 silver badges1919 bronze badges
2 Answers
ssl = on
only enables the possibility of using SSL.To ensure that all clients are using SSL, add
hostssl
lines in pg_hba.conf
, e.g.,and remove all
Peter EisentrautPeter Eisentrauthost
lines. (Well, maybe keep the ones for localhost
.)7,75711 gold badge2020 silver badges3030 bronze badges
No, that simply enables the use of SSL. You need to also make the appropriate changes to your pg_hga.conf file.
gsiemsgsiems1,84511 gold badge1111 silver badges2323 bronze badges
Not the answer you're looking for? Browse other questions tagged postgresql or ask your own question.
I am running PostgreSQL 9 on Ubuntu (from their PPA repository). I am using OpenSSL 0.9.8o.
I have generated keys and certificates using TinyCA2 for both a pg server and the psql client. I essentially followed the instructions.
My pg_hba.conf file is configured with this:
I have put the root certificate generated by TinyCA along with the server's certificate and key in the DATA directory as follows.
Yet I am unable to start the server. This is what I get on startup:
Interestingly, the root.crt file is very much present and readable:
What is going on? What do I have to do for this certificate to load???
malaverdieremalaverdiere
1 Answer
Permissions are OK. I have working:
Try to put this files in data directory (/var/lib/postgresql/9.0/{clustername}), not config directory (/etc/postgresql/9.0/{clustername}).
When cluster is created there are automatically provided snakeoil server.key and server.crt in data directory, but there is no root.crt. Probably you put your certs in config directory.
To start in SSL mode, the files server.crt and server.key must exist in the server's data directory. These files should contain the server certificate and private key, respectively. If the private key is protected with a passphrase, the server will prompt for the passphrase and will not start until it has been entered.
To require the client to supply a trusted certificate, place certificates of the certificate authorities (CA) you trust in the file root.crt in the data directory.
In Ubuntu:
Grzegorz SzpetkowskiGrzegorz Szpetkowski