On Mon, May 9, 2011 at 10:50 PM, Merlin Moncure <mmoncure@gmail.com> wrote:
> Now manybe *I'm* a little confused. Are you connecting to the write
> port (stunnel's secure port)? As I understand it, the stunnel pgsql
> protocol is such that the client side libpq application can connect to
> stunnel which unwraps the encrypted data and connects w/o ssl to
> postgres. From the server's point of view, the connection should be
> unencrypted and from the client's it should remain encrypted.
>
> I can think of two reasons why you would want to do this:
> *) pgbouncer, or a some other connection pooler type piece of software
> that does not support ssl
> *) for loading purposes you are trying to keep all
> encryption/decryption off the main server.
>
> merlin
>
My client connects to the stunnel'l local port. Come to think of it..
assuming that the line
"SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)"
comes from psql I am getting the expected behavior. Because psql
connects to stunnel local port unencrypted. stunnel encrypts the data
and sends it to the postgres server. The server accepts the
connection because it is coming in encrypted.
I would also be nice to find out from the pg server that the
communication is encrypted. I just don't see a way to find it out
except from the following two facts 1) my server is configured to be
just so 2) the output of 'ps' which tells me how the connection is
coming in.