Re: [GENERAL] How to test SSL cert from CA?
On 07/11/2015 07:32 PM, James Cloos wrote: FR == Francisco Reyes li...@natserv.net writes: Did you include the intermediate cert(s) in the bundle which the server presents to the client? Yes. And did you confirm that the client trusts the issuer's root? Some require explicit configurastion of that. The client in this case is a program a client of mine runs. I don't have access to the program -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] How to test SSL cert from CA?
FR == Francisco Reyes li...@natserv.net writes: FR I bought a SSL cert and installed it, but the program is still having FR the issue. Did you include the intermediate cert(s) in the bundle which the server presents to the client? And did you confirm that the client trusts the issuer's root? Some require explicit configurastion of that. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] How to test SSL cert from CA?
VK == Vick Khera vi...@khera.org writes: VK openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem See: http://debian-administration.org/users/dkg/weblog/103 Also, check out: https://github.com/nabla-c0d3/sslyze You'll need to add support for pg's protocol, but it should be straight forward to do so.-JimC -- James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] How to test SSL cert from CA?
Francisco Reyes li...@natserv.net writes: On 07/09/2015 03:07 PM, Vick Khera wrote: openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem According to this post: http://serverfault.com/questions/79876/connecting-to-postgresql-with-ssl-using-openssl-s-client?rq=1 one can not use openssl to test ssl connection to postgresql. True? I should think you can't; it wouldn't know to send the initial packet that asks the server to initiate SSL mode. I found this in the man page for s_client mode: -starttls protocol send the protocol-specific message(s) to switch to TLS for communication. protocol is a keyword for the intended protocol. Currently, the only supported keywords are smtp, pop3, imap, and ftp. So they've certainly heard of such issues, and you could imagine adding a -starttls postgresql variant, but it's not there now ... at least not in the OpenSSL version that ships in RHEL6. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] How to test SSL cert from CA?
On Thu, Jul 9, 2015 at 9:29 PM, Francisco Reyes li...@natserv.net wrote: On 07/09/2015 03:07 PM, Vick Khera wrote: On Wed, Jul 8, 2015 at 10:17 PM, Francisco Reyes li...@natserv.net mailto:li...@natserv.net wrote: openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem According to this post: http://serverfault.com/questions/79876/connecting-to-postgresql-with-ssl-using-openssl-s-client?rq=1 one can not use openssl to test ssl connection to postgresql. True? If you think the problem might be with the certificate itself, then take postgresql out of the loop entirely by installing that certificate to be used by apache (for instance) instead of by postgresql. Then use s_client against apache. Cheers, Jeff
Re: [GENERAL] How to test SSL cert from CA?
On Wed, Jul 8, 2015 at 10:17 PM, Francisco Reyes li...@natserv.net wrote: Anyone knows of a way to test the SSL connection such that it validates against the CA? Preferably an open source application. Connecting through psql works fine on SSL with what I have setup, but the application, xtuple, seems to still be having the issue. openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem check the man page for more options that will help you. Here is what a bad connection looks like. This particular server does not send along the necessary intermediate certificate: % openssl s_client -connect filer:443 CONNECTED(0003) depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com verify error:num=21:unable to verify the first certificate verify return:1 [ ... ] Start Time: 1436468482 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) Here's what a good connection looks like where the server sends the necessary intermediate certificate: % openssl s_client -connect vk-dev:443 CONNECTED(0003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3 verify return:1 depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com verify return:1 [ ... ] Start Time: 1436468764 Timeout : 300 (sec) Verify return code: 0 (ok) The -verify_return_error option may help you as well.
Re: [GENERAL] How to test SSL cert from CA?
On 07/09/2015 03:07 PM, Vick Khera wrote: On Wed, Jul 8, 2015 at 10:17 PM, Francisco Reyes li...@natserv.net mailto:li...@natserv.net wrote: openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem According to this post: http://serverfault.com/questions/79876/connecting-to-postgresql-with-ssl-using-openssl-s-client?rq=1 one can not use openssl to test ssl connection to postgresql. True? -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] How to test SSL cert from CA?
On 07/08/2015 10:52 PM, Tom Lane wrote: What's the complaint exactly? The error we are getting is: The security of this transaction may be compromised. The following SSL errors have been reported: * The issuer certificate of a locally looked up certificate could not be found. * The root CA certificate is not trusted for this purpose -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] How to test SSL cert from CA?
Have a client using a commercial application. For a year plus we had been using a local self signed certificate without issues. As of a few weeks ago a change/update to the program is making it complain about the self signed cert. I bought a SSL cert and installed it, but the program is still having the issue. Anyone knows of a way to test the SSL connection such that it validates against the CA? Preferably an open source application. Connecting through psql works fine on SSL with what I have setup, but the application, xtuple, seems to still be having the issue. The client already wrote to the application support department, but still waiting for an answer from them. If I had a way to at least reproduce the error I could more easily track down what I am missing. Any suggestions? -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] How to test SSL cert from CA?
Francisco Reyes li...@natserv.net writes: Have a client using a commercial application. For a year plus we had been using a local self signed certificate without issues. As of a few weeks ago a change/update to the program is making it complain about the self signed cert. What's the complaint exactly? A whole lot of stuff has been broken lately by recent changes in OpenSSL that make it reject certs with smaller key sizes. You might need to re-generate your cert with a larger size. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general