Обсуждение: Connecting via SSL not working (except from psql)
Hi, I'm trying to connect to SSL-enabled Postgres (started with -i -l) using both the openssl command line utility and with a modified JDBC driver using the built in JSSE API from Java 1.4. If I attempt to connect from a shell with the openssl test utility, I get: $ openssl s_client -connect localhost:5432 CONNECTED(00000003) 25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: With the JDBC driver, at connection I get: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? In both cases, the server logs the message "FATAL 1: invalid length of startup packet". A connection to the server with psql works fine, and prints "SSL connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried manually specifying this cipher to openssl, which does not change the result. I'm stuck. Any suggestions or pointers will be greatly appreciated. :) Thanks, -Paul
Hi! SSL is not enabled at connection time in pgsql - it is negotiatied with the postmaster, and enabled later. You need to send a correctly formatted start message in clear text to the postmaster to initiate the SSL negotiation first, and turn on SSL after that (assuming the postmaster reports that SSL is Ok). This is done so the postmaster can listen for both SSL and non-SSL connections on the same port. Take a look at how libpq does it. In 7.1.3, it starts at line 963 in interfaces/libpq/fe-connect.c. (Sorry, don't have the source to a newer version around right now - look for comment on 'Attempt to negotiate SSL usage'). //Magnus > -----Original Message----- > From: Paul Legato [mailto:plegato@nks.net] > Sent: Tuesday, August 06, 2002 5:47 PM > To: pgsql-admin@postgresql.org > Cc: pgsql-jdbc@postgresql.org > Subject: [ADMIN] Connecting via SSL not working (except from psql) > > > Hi, > > I'm trying to connect to SSL-enabled Postgres (started with > -i -l) using > both the openssl command line utility and with a modified JDBC driver > using the built in JSSE API from Java 1.4. > > If I attempt to connect from a shell with the openssl test > utility, I get: > > $ openssl s_client -connect localhost:5432 > CONNECTED(00000003) > 25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:s23_clnt.c:460: > > With the JDBC driver, at connection I get: > > javax.net.ssl.SSLException: Unrecognized SSL message, > plaintext connection? > > In both cases, the server logs the message "FATAL 1: invalid > length of > startup packet". > > A connection to the server with psql works fine, and prints "SSL > connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried > manually specifying this cipher to openssl, which does not change the > result. > > I'm stuck. Any suggestions or pointers will be greatly appreciated. :) > > Thanks, > -Paul > > > ---------------------------(end of > broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an > appropriate subscribe-nomail command to > majordomo@postgresql.org so that your message can get through > to the mailing list cleanly >
Hi Magnus, Thanks for the help. I'll take a look at fe-connect.c and see if I can get my JDBC driver working. Is anyone within the Postgres project currently adding SSL support to JDBC? Anyone interested in the patches once I get everything working? -Paul Magnus Hagander wrote: > Hi! > > SSL is not enabled at connection time in pgsql - it is negotiatied with > the postmaster, and enabled later. You need to send a correctly > formatted start message in clear text to the postmaster to initiate the > SSL negotiation first, and turn on SSL after that (assuming the > postmaster reports that SSL is Ok). > This is done so the postmaster can listen for both SSL and non-SSL > connections on the same port. > > Take a look at how libpq does it. In 7.1.3, it starts at line 963 in > interfaces/libpq/fe-connect.c. > (Sorry, don't have the source to a newer version around right now - look > for comment on 'Attempt to negotiate SSL usage'). > > //Magnus > > >>-----Original Message----- >>From: Paul Legato [mailto:plegato@nks.net] >>Sent: Tuesday, August 06, 2002 5:47 PM >>To: pgsql-admin@postgresql.org >>Cc: pgsql-jdbc@postgresql.org >>Subject: [ADMIN] Connecting via SSL not working (except from psql) >> >> >>Hi, >> >>I'm trying to connect to SSL-enabled Postgres (started with >>-i -l) using >>both the openssl command line utility and with a modified JDBC driver >>using the built in JSSE API from Java 1.4. >> >>If I attempt to connect from a shell with the openssl test >>utility, I get: >> >>$ openssl s_client -connect localhost:5432 >>CONNECTED(00000003) >>25870:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >>protocol:s23_clnt.c:460: >> >>With the JDBC driver, at connection I get: >> >>javax.net.ssl.SSLException: Unrecognized SSL message, >>plaintext connection? >> >>In both cases, the server logs the message "FATAL 1: invalid >>length of >>startup packet". >> >>A connection to the server with psql works fine, and prints "SSL >>connection (cipher: DES-CBC3-SHA, bits: 168)" at startup. I've tried >>manually specifying this cipher to openssl, which does not change the >>result. >> >>I'm stuck. Any suggestions or pointers will be greatly appreciated. :) >> >>Thanks, >>-Paul >> >> >>---------------------------(end of >>broadcast)--------------------------- >>TIP 3: if posting/reading through Usenet, please send an >>appropriate subscribe-nomail command to >>majordomo@postgresql.org so that your message can get through >>to the mailing list cleanly >> >