Re: PQConnectdb SSL (sslmode): Is this a bug
| От | vishal saberwal |
|---|---|
| Тема | Re: PQConnectdb SSL (sslmode): Is this a bug |
| Дата | |
| Msg-id | 3e74dc25050829162361df1ddd@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: PQConnectdb SSL (sslmode): Is this a bug (Michael Fuhr <mike@fuhr.org>) |
| Ответы |
Re: PQConnectdb SSL (sslmode): Is this a bug
(vishal saberwal <vishalsaberwal@gmail.com>)
Re: PQConnectdb SSL (sslmode): Is this a bug (Michael Fuhr <mike@fuhr.org>) |
| Список | pgsql-general |
hi michael and tom,
(A) With LIBPQ.SO.3.2
After reading your response i copied the libpq.so.3.2 from the compiled source tree to /usr/lib where the version available was libpq.so.3.1.
I recreated the symbolic links and now the links are as below:
[root@localhost DBApi]# ls -l /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 15:00 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.2
lrwxrwxrwx 1 postgres root 21 Aug 29 14:59 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.2
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]# ls -l /usr/local/pgsql/lib/libpq.so*
lrwxrwxrwx 1 root root 12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so -> libpq.so.3.2
lrwxrwxrwx 1 root root 12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3 -> libpq.so.3.2
-rwxr-xr-x 1 root root 122177 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3.2
[root@localhost DBApi]# which psql
/usr/bin/psql
[root@localhost DBApi]# psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
[root@localhost DBApi]# env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib
[root@localhost DBApi]#
The postmaster command is:
/usr/local/pgsql/bin/postmaster -D /usr/local/pgsql/data/ -i >logfile 2>&1 &
As "postgres" user:
-bash-2.05b$ which psql
/usr/local/pgsql/bin/psql
-bash-2.05b$ psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
-bash-2.05b$ env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib/
-bash-2.05b$
"test_k2" was a typo (sorry about that) ...
[root@localhost serv]# ldd ./bin/test_lib
linux-gate.so.1 => (0x00a4e000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x003c8000)
libpq.so.3 => /usr/lib/libpq.so.3 (0x008b4000)
libstdc++.so.5 => /usr/lib/libstdc++.so.5 (0x00590000)
libm.so.6 => /lib/tls/libm.so.6 (0x002b0000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x004e7000)
libc.so.6 => /lib/tls/libc.so.6 (0x00193000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00176000)
libssl.so.4 => /lib/libssl.so.4 (0x00c6a000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x0076f000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00caa000)
libresolv.so.2 => /lib/libresolv.so.2 (0x003ff000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00c53000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00758000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x006aa000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x006a5000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00714000)
libdl.so.2 => /lib/libdl.so.2 (0x002d5000)
libz.so.1 => /usr/lib/libz.so.1 (0x002db000)
[root@localhost serv]#
now i ran the program i had that has a conect command with ("hostaddr=169.254.59.60 dbname=dbm user=postgres sslmode=prefer") parameters.
[root@localhost serv]# ./bin/test_lib
Connection failed: could not open certificate file "/root/.postgresql/postgresql.crt": No such file or directory
ret=-1
I don't think i need to have ~/.postgresql/postgresql.crt on server. I thought that was the requirement only with the clients ... so, i think i shouldn't be getting this error. On server (as per documentation) i need to have the files in $PGDATA rather than in ~/.postgresql. Hence this question.
[root@localhost serv]# cat /var/lib/pgsql/logfile
LOG: database system was interrupted at 2005-08-29 12:56:46 PDT
LOG: checkpoint record is at 0/655FF5F4
LOG: redo record is at 0/655FF5F4; undo record is at 0/0; shutdown FALSE
LOG: next transaction ID: 15567; next OID: 11920206
LOG: database system was not properly shut down; automatic recovery in progress
LOG: record with zero length at 0/655FF630
LOG: redo is not required
LOG: database system is ready
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
Now with allow:
"hostaddr=169.254.59.60 dbname=dbm user=postgres sslmode=allow"
[root@localhost libk2]# ./bin/test_k2
ret=0
GOT CONNECTION
NAME AGE
----------------------------
me 1
you 2
they 3
us 4
[root@localhost libk2]#
(B) With LIBPQ.SO.3.1
[root@localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 15:00 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.2
lrwxrwxrwx 1 postgres root 21 Aug 29 14:59 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.2
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]# rm /usr/lib/libpq.so.3
rm: remove symbolic link `/usr/lib/libpq.so.3'? y
[root@localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so.3
[root@localhost DBApi]# rm /usr/lib/libpq.so
rm: remove symbolic link `/usr/lib/libpq.so'? y
[root@localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so
[root@localhost DBApi]# chown postgres /usr/lib/libpq*
[root@localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 16:07 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.1
lrwxrwxrwx 1 postgres root 21 Aug 29 16:07 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]#
doing nothing but above commands ... killing and restarting the postmaster ...
(1) sslmode=allow:
[root@localhost serv]# ./bin/test_lib
ret=0
GOT CONNECTION
NAME AGE
----------------------------
me 1
you 2
they 3
us 4
[root@localhost serv]# vi src/test_lib.cpp
(2) sslmode=prefer
[root@localhost serv]# ./bin/test_lib
Connection failed: SSL error: sslv3 alert handshake failure
ret=-1
[root@localhost serv]#
This is what i am curious about:
(a) Where am i going wrong?
(b) Why are the error messages different?
(c) When LD_LIBRARY_PATH is set to /usr/local/pgsql/lib, then why does it matter if the links on /usr/lib/libpq.so are changed?
thanks,
vish
(A) With LIBPQ.SO.3.2
After reading your response i copied the libpq.so.3.2 from the compiled source tree to /usr/lib where the version available was libpq.so.3.1.
I recreated the symbolic links and now the links are as below:
[root@localhost DBApi]# ls -l /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 15:00 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.2
lrwxrwxrwx 1 postgres root 21 Aug 29 14:59 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.2
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]# ls -l /usr/local/pgsql/lib/libpq.so*
lrwxrwxrwx 1 root root 12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so -> libpq.so.3.2
lrwxrwxrwx 1 root root 12 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3 -> libpq.so.3.2
-rwxr-xr-x 1 root root 122177 Aug 26 13:17 /usr/local/pgsql/lib/libpq.so.3.2
[root@localhost DBApi]# which psql
/usr/bin/psql
[root@localhost DBApi]# psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
[root@localhost DBApi]# env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib
[root@localhost DBApi]#
The postmaster command is:
/usr/local/pgsql/bin/postmaster -D /usr/local/pgsql/data/ -i >logfile 2>&1 &
As "postgres" user:
-bash-2.05b$ which psql
/usr/local/pgsql/bin/psql
-bash-2.05b$ psql --version
psql (PostgreSQL) 8.0.1
contains support for command-line editing
-bash-2.05b$ env |grep -i "LD_LIBRARY"
LD_LIBRARY_PATH=/usr/local/pgsql/lib/
-bash-2.05b$
"test_k2" was a typo (sorry about that) ...
[root@localhost serv]# ldd ./bin/test_lib
linux-gate.so.1 => (0x00a4e000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x003c8000)
libpq.so.3 => /usr/lib/libpq.so.3 (0x008b4000)
libstdc++.so.5 => /usr/lib/libstdc++.so.5 (0x00590000)
libm.so.6 => /lib/tls/libm.so.6 (0x002b0000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x004e7000)
libc.so.6 => /lib/tls/libc.so.6 (0x00193000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00176000)
libssl.so.4 => /lib/libssl.so.4 (0x00c6a000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x0076f000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00caa000)
libresolv.so.2 => /lib/libresolv.so.2 (0x003ff000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00c53000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00758000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x006aa000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x006a5000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00714000)
libdl.so.2 => /lib/libdl.so.2 (0x002d5000)
libz.so.1 => /usr/lib/libz.so.1 (0x002db000)
[root@localhost serv]#
now i ran the program i had that has a conect command with ("hostaddr=169.254.59.60 dbname=dbm user=postgres sslmode=prefer") parameters.
[root@localhost serv]# ./bin/test_lib
Connection failed: could not open certificate file "/root/.postgresql/postgresql.crt": No such file or directory
ret=-1
I don't think i need to have ~/.postgresql/postgresql.crt on server. I thought that was the requirement only with the clients ... so, i think i shouldn't be getting this error. On server (as per documentation) i need to have the files in $PGDATA rather than in ~/.postgresql. Hence this question.
[root@localhost serv]# cat /var/lib/pgsql/logfile
LOG: database system was interrupted at 2005-08-29 12:56:46 PDT
LOG: checkpoint record is at 0/655FF5F4
LOG: redo record is at 0/655FF5F4; undo record is at 0/0; shutdown FALSE
LOG: next transaction ID: 15567; next OID: 11920206
LOG: database system was not properly shut down; automatic recovery in progress
LOG: record with zero length at 0/655FF630
LOG: redo is not required
LOG: database system is ready
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
LOG: could not accept SSL connection: peer did not return a certificate
Now with allow:
"hostaddr=169.254.59.60 dbname=dbm user=postgres sslmode=allow"
[root@localhost libk2]# ./bin/test_k2
ret=0
GOT CONNECTION
NAME AGE
----------------------------
me 1
you 2
they 3
us 4
[root@localhost libk2]#
(B) With LIBPQ.SO.3.1
[root@localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 15:00 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.2
lrwxrwxrwx 1 postgres root 21 Aug 29 14:59 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.2
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]# rm /usr/lib/libpq.so.3
rm: remove symbolic link `/usr/lib/libpq.so.3'? y
[root@localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so.3
[root@localhost DBApi]# rm /usr/lib/libpq.so
rm: remove symbolic link `/usr/lib/libpq.so'? y
[root@localhost DBApi]# ln -s /usr/lib/libpq.so.3.1 /usr/lib/libpq.so
[root@localhost DBApi]# chown postgres /usr/lib/libpq*
[root@localhost DBApi]# ll /usr/lib/libpq*
-rw-r--r-- 1 postgres root 1480452 Mar 10 2004 /usr/lib/libpq.a
lrwxrwxrwx 1 postgres root 21 Aug 29 16:07 /usr/lib/libpq.so -> /usr/lib/libpq.so.3.1
lrwxrwxrwx 1 postgres root 21 Aug 29 16:07 /usr/lib/libpq.so.3 -> /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 113988 Mar 10 2004 /usr/lib/libpq.so.3.1
-rwxr-xr-x 1 postgres root 122177 Aug 26 12:55 /usr/lib/libpq.so.3.2
[root@localhost DBApi]#
doing nothing but above commands ... killing and restarting the postmaster ...
(1) sslmode=allow:
[root@localhost serv]# ./bin/test_lib
ret=0
GOT CONNECTION
NAME AGE
----------------------------
me 1
you 2
they 3
us 4
[root@localhost serv]# vi src/test_lib.cpp
(2) sslmode=prefer
[root@localhost serv]# ./bin/test_lib
Connection failed: SSL error: sslv3 alert handshake failure
ret=-1
[root@localhost serv]#
This is what i am curious about:
(a) Where am i going wrong?
(b) Why are the error messages different?
(c) When LD_LIBRARY_PATH is set to /usr/local/pgsql/lib, then why does it matter if the links on /usr/lib/libpq.so are changed?
thanks,
vish
On 8/26/05, Michael Fuhr <mike@fuhr.org> wrote:
On Fri, Aug 26, 2005 at 01:57:36PM -0700, vishal saberwal wrote:
> I am not sure as to how i can find the version of libpq that i am
> using on my server. My test file has sslmode=prefer. This is what i
> did:
> (a)
> [root@localhost serv]# ./bin/test_lib
> Connection failed: SSL error: sslv3 alert handshake failure
I asked what appeared in the server's logs when this happened but
I don't see that information in your post. Those log entries might
be useful, so please post them if you continue to have trouble.
> ret=-1
> [root@localhost serv]# ldd ./bin/test_lib
> ...
> libpq.so.3 => /usr/lib/libpq.so.3 (0x002ee000)
What's the output of the following command?
ls -l /usr/lib/libpq.so*
In my 7.4.8 installation I see the following:
libpq.so -> libpq.so.3.1
libpq.so.3 -> libpq.so.3.1
libpq.so.3.1
As I recall, 8.0.1's libpq was libpq.so.3.2 (this was changed to
libpq.so.4.0 in 8.0.2), so the library's minor version should tell
you which version of PostgreSQL you're linked against.
I asked if the certificate works with psql, and if it does, for you
to show the output of "ldd psql". I don't see that output -- does
psql work? If so then please post its ldd output.
> [root@localhost libk2]# ./bin/test_k2
> Connection failed: could not open certificate file
> "/root/.postgresql/postgresql.crt": No such file or directory
What's test_k2? It's looking for the certificate, although perhaps
not where you want it to. What happens if you run this program as
a user that has a certificate, or if you install the certificate
and key in /root/.postgresql? Also, I don't see test_k2's ldd
output -- is it linked against /usr/local/pgsql/lib/libpq.so.3?
If so, what's the output of the following command?
ls -l /usr/local/pgsql/lib/libpq.so*
I'm wondering if you have PostgreSQL 7.4's libraries installed in
/usr/lib and 8.0.1's libraries in /usr/local/pgsql/lib. Is that
what you've done?
--
Michael Fuhr
В списке pgsql-general по дате отправления: