Обсуждение: SslTests failures
Hi, I'm trying to run the SslTests but get 88 failures. It is probably something I set up wrong in the environment. The following tests fail: sslhostnossl[89]-requireG* sslhostnossl[89]-verify-caGG* sslhostnossl[89]-verify-fullGG* sslhostsslgh[89]-disable* sslhostsslbh[89]-disable* sslhostcertgh[89]-disable* sslhostcertbh[89]-disable* sslcertgh[89]-disable* sslcertbh[89]-disable* All of them fail with unexpectedly successful connection (meaning: test expected connection opening to fail but it succeeded). Here is a patch to the ssltest documentation describing how I have tried to set-up the environment. Index: certdir/README =================================================================== RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v retrieving revision 1.1 diff -u -r1.1 README --- certdir/README 17 Nov 2011 11:27:50 -0000 1.1 +++ certdir/README 22 Nov 2011 19:29:27 -0000 @@ -42,3 +42,11 @@ The subdirectory server contains what should be copied to the PGDATA directory. For the tests the sslinfo module must be installed into every database. +The ssl=on must be set in postgresql.conf + +The following command creates the databases and installs the sslinfo module. + +for db in hostssldb hostnossldb certdb hostsslcertdb; do + createdb $db + psql $db -c "create extension sslinfo" +done
Mikko, You probably (like me) have a very permissive pg_hba.conf file. It needs to be restricted so that local databases need to connect via ssl. At least that was my experience. Dave Cramer dave.cramer(at)credativ(dot)ca http://www.credativ.ca On Tue, Nov 22, 2011 at 2:34 PM, Mikko Tiihonen <mikko.tiihonen@nitorcreations.com> wrote: > Hi, > > I'm trying to run the SslTests but get 88 failures. It is probably something > I set up wrong in the environment. > > The following tests fail: > > sslhostnossl[89]-requireG* > sslhostnossl[89]-verify-caGG* > sslhostnossl[89]-verify-fullGG* > > sslhostsslgh[89]-disable* > sslhostsslbh[89]-disable* > > sslhostcertgh[89]-disable* > sslhostcertbh[89]-disable* > > sslcertgh[89]-disable* > sslcertbh[89]-disable* > > All of them fail with unexpectedly successful connection (meaning: test > expected connection opening to fail but it succeeded). > > Here is a patch to the ssltest documentation describing how I have tried to > set-up the environment. > > > Index: certdir/README > =================================================================== > RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v > retrieving revision 1.1 > diff -u -r1.1 README > --- certdir/README 17 Nov 2011 11:27:50 -0000 1.1 > +++ certdir/README 22 Nov 2011 19:29:27 -0000 > @@ -42,3 +42,11 @@ > The subdirectory server contains what should be copied to the PGDATA > directory. > > For the tests the sslinfo module must be installed into every database. > +The ssl=on must be set in postgresql.conf > + > +The following command creates the databases and installs the sslinfo > module. > + > +for db in hostssldb hostnossldb certdb hostsslcertdb; do > + createdb $db > + psql $db -c "create extension sslinfo" > +done > > -- > Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-jdbc >
On 11/22/2011 09:40 PM, Dave Cramer wrote: > Mikko, > > You probably (like me) have a very permissive pg_hba.conf file. It > needs to be restricted so that local databases need to connect via > ssl. At least that was my experience. Thanks, that helped me further. I had to uncomment all lines starting with "host all" or use the provided pg_hba.conf as is. Now I have only 28 failures: sslcertgh[89]-disable* sslcertbh[89]-disable* They fail with "Connection rejected: FATAL: certificate authentication failed for user "jdbctest" on jdbc driver side and "LOG: provided user name (jdbctest) and authenticated user name (test) do not match" on server side. I cannot see where the authenticated user name "test" can come from unless it is inside the certificates - in which caseI'll update the documentation to say that the postgres account for SSL tests must be named "test". > On Tue, Nov 22, 2011 at 2:34 PM, Mikko Tiihonen > <mikko.tiihonen@nitorcreations.com> wrote: >> Hi, >> >> I'm trying to run the SslTests but get 88 failures. It is probably something >> I set up wrong in the environment. >> >> The following tests fail: >> >> sslhostnossl[89]-requireG* >> sslhostnossl[89]-verify-caGG* >> sslhostnossl[89]-verify-fullGG* >> >> sslhostsslgh[89]-disable* >> sslhostsslbh[89]-disable* >> >> sslhostcertgh[89]-disable* >> sslhostcertbh[89]-disable* >> >> sslcertgh[89]-disable* >> sslcertbh[89]-disable* >> >> All of them fail with unexpectedly successful connection (meaning: test >> expected connection opening to fail but it succeeded). >> >> Here is a patch to the ssltest documentation describing how I have tried to >> set-up the environment. >> >> >> Index: certdir/README >> =================================================================== >> RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v >> retrieving revision 1.1 >> diff -u -r1.1 README >> --- certdir/README 17 Nov 2011 11:27:50 -0000 1.1 >> +++ certdir/README 22 Nov 2011 19:29:27 -0000 >> @@ -42,3 +42,11 @@ >> The subdirectory server contains what should be copied to the PGDATA >> directory. >> >> For the tests the sslinfo module must be installed into every database. >> +The ssl=on must be set in postgresql.conf >> + >> +The following command creates the databases and installs the sslinfo >> module. >> + >> +for db in hostssldb hostnossldb certdb hostsslcertdb; do >> + createdb $db >> + psql $db -c "create extension sslinfo" >> +done >> >> -- >> Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-jdbc >>
On 11/22/2011 10:31 PM, Mikko Tiihonen wrote: > On 11/22/2011 09:40 PM, Dave Cramer wrote: >> Mikko, >> >> You probably (like me) have a very permissive pg_hba.conf file. It >> needs to be restricted so that local databases need to connect via >> ssl. At least that was my experience. > > Thanks, that helped me further. I had to uncomment all lines starting with > "host all" or use the provided pg_hba.conf as is. > > Now I have only 28 failures: > sslcertgh[89]-disable* > sslcertbh[89]-disable* > > They fail with "Connection rejected: FATAL: certificate authentication failed for user "jdbctest" on jdbc driver side > and "LOG: provided user name (jdbctest) and authenticated user name (test) do not match" on server side. > > I cannot see where the authenticated user name "test" can come from unless it is inside the certificates - in which caseI'll update the > documentation to say that the postgres account for SSL tests must be named "test". After running "createuser test -P" all ssl tests pass. Here is the final patch to the README to document what next user has to do to set up the tests. Index: certdir/README =================================================================== RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v retrieving revision 1.1 diff -u -r1.1 README --- certdir/README 17 Nov 2011 11:27:50 -0000 1.1 +++ certdir/README 22 Nov 2011 21:01:58 -0000 @@ -40,5 +40,18 @@ #Common name is localhost, no password The subdirectory server contains what should be copied to the PGDATA directory. +If you do not overwrite the pg_hba.conf then remember to comment out all lines +starting with "host all". For the tests the sslinfo module must be installed into every database. +The ssl=on must be set in postgresql.conf + +The following command creates the databases and installs the sslinfo module. + +for db in hostssldb hostnossldb certdb hostsslcertdb; do + createdb $db + psql $db -c "create extension sslinfo" +done + +The username for connecting to postgres as specified in build.local.properties tests has to be "test". +
Mikko, Can you attach that file instead of including it inline ? Dave Cramer dave.cramer(at)credativ(dot)ca http://www.credativ.ca On Tue, Nov 22, 2011 at 4:04 PM, Mikko Tiihonen <mikko.tiihonen@nitorcreations.com> wrote: > On 11/22/2011 10:31 PM, Mikko Tiihonen wrote: >> >> On 11/22/2011 09:40 PM, Dave Cramer wrote: >>> >>> Mikko, >>> >>> You probably (like me) have a very permissive pg_hba.conf file. It >>> needs to be restricted so that local databases need to connect via >>> ssl. At least that was my experience. >> >> Thanks, that helped me further. I had to uncomment all lines starting with >> "host all" or use the provided pg_hba.conf as is. >> >> Now I have only 28 failures: >> sslcertgh[89]-disable* >> sslcertbh[89]-disable* >> >> They fail with "Connection rejected: FATAL: certificate authentication >> failed for user "jdbctest" on jdbc driver side >> and "LOG: provided user name (jdbctest) and authenticated user name (test) >> do not match" on server side. >> >> I cannot see where the authenticated user name "test" can come from unless >> it is inside the certificates - in which case I'll update the >> documentation to say that the postgres account for SSL tests must be named >> "test". > > After running "createuser test -P" all ssl tests pass. > > Here is the final patch to the README to document what next user has to do > to set up the tests. > > Index: certdir/README > =================================================================== > RCS file: /cvsroot/jdbc/pgjdbc/certdir/README,v > retrieving revision 1.1 > diff -u -r1.1 README > --- certdir/README 17 Nov 2011 11:27:50 -0000 1.1 > +++ certdir/README 22 Nov 2011 21:01:58 -0000 > @@ -40,5 +40,18 @@ > #Common name is localhost, no password > > The subdirectory server contains what should be copied to the PGDATA > directory. > +If you do not overwrite the pg_hba.conf then remember to comment out all > lines > +starting with "host all". > > For the tests the sslinfo module must be installed into every database. > +The ssl=on must be set in postgresql.conf > + > +The following command creates the databases and installs the sslinfo > module. > + > +for db in hostssldb hostnossldb certdb hostsslcertdb; do > + createdb $db > + psql $db -c "create extension sslinfo" > +done > + > +The username for connecting to postgres as specified in > build.local.properties tests has to be "test". > + > > -- > Sent via pgsql-jdbc mailing list (pgsql-jdbc@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-jdbc >