Обсуждение: using a .postgresql/root.crt
I now have SSL encryption working between psql and my PostgreSQL
server, but want to enable client verification of the server's SSL
certificate (and eventually vice-versa).
My problem is that when I copy my root.crt certificate into my
.postgresql directory, I am given the error:
psql: unrecognized SSL error code
which I find terribly uninformative. Adding the code
{
char buf[256];
ERR_error_string(SSL_get_error(conn->ssl, r),
buf);
printf("%s\n", buf);
}
around line 928 in fe-secure.c shows me:
error:00000004:lib(0):func(0):nested asn1 error
Has anyone else had problems getting certificate checking to work?
Feel free to suggest any commands with which I could explore with the
openssl command line tool whether my root certificate is really
legible and valid; the command
/usr/local/ssl/bin/openssl verify < root.crt
gives me the notice
error 18 at 0 depth lookup:self signed certificate
as one would expect, but nothing about not being able to parse the
certificate itself.
--
Brandon Craig Rhodes http://www.rhodesmill.org/brandon
Georgia Tech brandon@oit.gatech.edu
Brandon Craig Rhodes <brandon@oit.gatech.edu> writes: > I now have SSL encryption working between psql and my PostgreSQL > server, but want to enable client verification of the server's SSL > certificate (and eventually vice-versa). The problem of which I spoke has mysteriously but happily resolved itself; the client now refuses to connect to the server unless presented with an SSL certificate that can be verified using the root.crt in my ~/.postgresql directory on the client. My follow-up question: I now want the server to be able to verify the client's identity. But after giving the server my root.crt, where do I put the certificate that the client should present to the server? -- Brandon Craig Rhodes http://www.rhodesmill.org/brandon Georgia Tech brandon@oit.gatech.edu