Authentication by client cert does not work

Question

Authentication by client cert does not work

mc3 opened this issue 6 years ago · 6 comments

ajr$ psql -h db2 -p 2222
Timing is on.
SET
Time: 0,578 ms
search_path

erdb, syslog, pki, dd, ext_ip4r, archiveopteryx, public
(1 row)

Time: 0,617 ms
psql (10.3, server 10.5)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

operations=# \q
ajr$ PGSSLMODE=require pgmetrics -h db2 -p 2222 -w
pgmetrics: remote error: tls: handshake failure
ajr$

In pg_hba.conf the related line is
hostssl ... cert clientcert=1

Answer 1 · 2018-11-01T15:15:42.000Z

Are the env. vars. PGSSLCERT and PGSSLKEY set and pointing to valid files?

If not, do the files ~/.postgresql/postgresql.crt and ~/.postgresql/postgresql.key exist?

Answer 2 · 2018-11-01T16:20:50.000Z

Am 01.11.2018 um 16:32 schrieb Mahadevan ***@***.***>: Are the env. vars. PGSSLCERT and PGSSLKEY set and pointing to valid files?

They are not set.

If not, do the files ~/.postgresql/postgresql.crt and ~/.postgresql/postgresql.key exist?

They exist as links to cert and key.

…

--- PGP-Key:29E99DD6 ☀ computing @ chaos claudius

Answer 3 · 2018-12-22T12:03:17.000Z

The reason is that the cipher DHE-RSA-AES256-GCM-SHA384 is not supported by pgmetrics. Only the ECDHE-* variants are supported.

It's not clear why this cipher was chosen by your server. You can try getting PostgreSQL to use ECDHE-RSA-AES256-GCM-SHA384 instead, by including this value in the ssl_ciphers setting.

Answer 4 · 2018-12-22T17:31:46.000Z

Am 22.12.2018 um 13:03 schrieb Mahadevan ***@***.***>: The reason is that the cipher DHE-RSA-AES256-GCM-SHA384 is not supported by pgmetrics. Only the ECDHE-* variants are supported. It's not clear why this cipher was chosen by your server. You can try getting PostgreSQL to use ECDHE-RSA-AES256-GCM-SHA384 instead, by including this value in the ssl_ciphers setting.

I changed my ssl_ciphers in the server config to: ssl_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA (Thanks for the advice (-:), but: ajr$ pgmetrics -h db2 -p 2222 -w -f human operations pgmetrics: pq: no pg_hba.conf entry for host "2a05:bec0:26:10::124", user "ajr", database "operations", SSL off ajr$ psql -p 2222 Timing is on. SET Time: 0,591 ms search_path --------------------------------------------------------- erdb, syslog, pki, dd, ext_ip4r, archiveopteryx, public (1 row) Time: 0,561 ms psql (10.5, server 10.6) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128, compression: off) Type "help" for help. Axel PS: There is a client certificate in use --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius

Answer 5 · 2018-12-23T03:45:08.000Z

pgmetrics is trying to connect without SSL (this is the default behavior). Can you try:

PGSSLMODE=require pgmetrics -h db2 -p 2222 -w -f human operations

Answer 6 · 2018-12-29T16:35:04.000Z

Am 23.12.2018 um 04:45 schrieb Mahadevan ***@***.***>: pgmetrics is trying to connect without SSL (this is the default behavior). Can you try: PGSSLMODE=require pgmetrics -h db2 -p 2222 -w -f human operations

With server setting ssl_ciphers = 'ECDHE:DHE+HIGH:!eNULL:!aNULL:!MD5:!RC2:!RC4:@strength' ssl_prefer_server_ciphers = on it works. Thanks for this nice program. Axel --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius

ajr$ psql -h db2 -p 2222 Timing is on. SET Time: 0,578 ms search_path

ajr$ psql -h db2 -p 2222
Timing is on.
SET
Time: 0,578 ms
search_path