Обсуждение: pgAdmin asks me the server's private key
Hi, I installed postgreSQL on my serveur with the SSL support enabled. I have my own CA and I generated a cert for this service. When I use pgAdmin III, it says : "Error connecting to the server: certificate present, but not private key file "C:\Users\<my user>\AppData\Roaming/postgresql/postgresql.key" I don't understand why it wants the server private key ?! It's a big security hole if I must give the private key. I miss something ? Thank you for you help, Sébastien Mauroy
Le 06/10/2010 22:51, Sébastien Mauroy a écrit : > [...] > I installed postgreSQL on my serveur with the SSL support enabled. I > have my own CA and I generated a cert for this service. When I use > pgAdmin III, it says : > > "Error connecting to the server: certificate present, but not private > key file "C:\Users\<my user>\AppData\Roaming/postgresql/postgresql.key" > > I don't understand why it wants the server private key ?! It's a big > security hole if I must give the private key. I miss something ? > Well, I guess you do. Did you try to connect with psql? didn't it ask for the same thing? -- Guillaumehttp://www.postgresql.frhttp://dalibo.com
I think this is a postgres question about how it expects ssl to be configured ...
I found some source code for Postgres that has this message in it..
http://doxygen.postgresql.org/fe-secure_8c-source.html
I found some source code for Postgres that has this message in it..
http://doxygen.postgresql.org/fe-secure_8c-source.html
01010 if (have_cert && fnbuf[0] != '\0')
01011 {
01012 /* read the client key from file */
01013
01014 if (stat(fnbuf, &buf) != 0)
01015 {
01016 printfPQExpBuffer(&conn->errorMessage,
01017 libpq_gettext("certificate present, but not private key file \"%s\"\n"),
01018 fnbuf);
01019 return -1;
01020 }
01021 #ifndef WIN32
01022 if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO))
01023 {
01024 printfPQExpBuffer(&conn->errorMessage,
01025 libpq_gettext("private key file \"%s\" has group or world access; permissions should be u=rw (0600) or less\n"),
01026 fnbuf);
01027 return -1;
01028 }
01029 #endif
01030
01031 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
01032 {
01033 char *err = SSLerrmessage();
01034
01035 printfPQExpBuffer(&conn->errorMessage,
01036 libpq_gettext("could not load private key file \"%s\": %s\n"),
01037 fnbuf, err);
01038 SSLerrfree(err);
01039 return -1;
01040 }
01041 }
01011 {
01012 /* read the client key from file */
01013
01014 if (stat(fnbuf, &buf) != 0)
01015 {
01016 printfPQExpBuffer(&conn->errorMessage,
01017 libpq_gettext("certificate present, but not private key file \"%s\"\n"),
01018 fnbuf);
01019 return -1;
01020 }
01021 #ifndef WIN32
01022 if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO))
01023 {
01024 printfPQExpBuffer(&conn->errorMessage,
01025 libpq_gettext("private key file \"%s\" has group or world access; permissions should be u=rw (0600) or less\n"),
01026 fnbuf);
01027 return -1;
01028 }
01029 #endif
01030
01031 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
01032 {
01033 char *err = SSLerrmessage();
01034
01035 printfPQExpBuffer(&conn->errorMessage,
01036 libpq_gettext("could not load private key file \"%s\": %s\n"),
01037 fnbuf, err);
01038 SSLerrfree(err);
01039 return -1;
01040 }
01041 }
2010/10/6 Guillaume Lelarge <guillaume@lelarge.info>
Le 06/10/2010 22:51, Sébastien Mauroy a écrit :
> [...]
> I installed postgreSQL on my serveur with the SSL support enabled. I
> have my own CA and I generated a cert for this service. When I use
> pgAdmin III, it says :
>
> "Error connecting to the server: certificate present, but not private
> key file "C:\Users\<my user>\AppData\Roaming/postgresql/postgresql.key"
>
> I don't understand why it wants the server private key ?! It's a big
> security hole if I must give the private key. I miss something ?
>
Well, I guess you do. Did you try to connect with psql? didn't it ask
for the same thing?
--
Guillaume
http://www.postgresql.fr
http://dalibo.com
--
Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-support
Le 07/10/2010 00:50, Sébastien Mauroy a écrit : > Thank you for you help ! > > Le 7/10/2010 00:15, Guillaume Lelarge a écrit : >> Well, I guess you do. Did you try to connect with psql? didn't it ask >> for the same thing? > > I got the same message. > So, the issue is with PostgreSQL, not pgAdmin. > Le 7/10/2010 00:25, Michael Shapiro a écrit : >> I think this is a postgres question about how it expects ssl to be >> configured ... >> I found some source code for Postgres that has this message in it.. > > I read the source "fe-secure.c" and it seems need the private key...but > I can't understand why. My only change of the default "postgresql.conf" > is the "ssl" option (to true). > I never set up PostgreSQL to use SSL with certificate, so I can't answer. The best you can do is read the manual (http://www.postgresql.org/docs/9.0/interactive/ssl-tcp.html) and ask on a PostgreSQL mailing list (pgsql-admin or pgsql-general). -- Guillaumehttp://www.postgresql.frhttp://dalibo.com