On Thu, Oct 09, 2008, Andrej Podzimek wrote: >> Hmmm.... Is that the right port for SSL/TLS if it is it looks like it >> isn't >> just a a case of connecting to the right port to get an SSL/TLS >> connection. Might be some STARTTLS equivalent but I'm not sure what it is >> for that >> application. > > PostgreSQL always listens on one port. This is the only port I ever used > for TCP/IP connections. So there must be something like STARTTLS, as it can > handle both encrypted and unencrypted connections. > > [EMAIL PROTECTED] ~]# netstat -atpn | grep postgres | grep LISTEN > tcp 0 0 10.84.53.1:5432 0.0.0.0:* > LISTEN > 9808/postgres > tcp 0 0 10.84.55.1:5432 0.0.0.0:* > LISTEN > 9808/postgres > tcp 0 0 217.112.173.73:5432 0.0.0.0:* > LISTEN > 9808/postgres > tcp 0 0 127.0.0.1:5432 0.0.0.0:* > LISTEN > 9808/postgres > tcp 0 0 2002:d970:ad49:2:::5432 :::* > LISTEN > 9808/postgres > tcp 0 0 2002:d970:ad49:1:::5432 :::* > LISTEN > 9808/postgres > tcp 0 0 2002:d970:ad49::1:5432 :::* > LISTEN > 9808/postgres > tcp 0 0 ::1:5432 :::* > LISTEN > 9808/postgres > >> It looks like an expired certificate is somehow being used. How isn't >> clear at >> this stage. If you have CA certificates in directories or files make sure >> an >> old one isn't in there. > > I only have one directory and one CA certificate. That makes the task > simple. > > On the client: > [EMAIL PROTECTED] .postgresql]$ openssl x509 -in postgresql.crt -text | > grep > Not > Not Before: Mar 25 12:00:00 2008 GMT > Not After : Mar 25 12:00:00 2009 GMT > [EMAIL PROTECTED] .postgresql]$ openssl x509 -in root.crt -text | grep > Not > Not Before: Nov 12 16:03:00 2006 GMT > Not After : Nov 11 16:03:00 2011 GMT > On the server: > [EMAIL PROTECTED] data]# openssl x509 -in server.crt -text | grep Not > Not Before: Jul 23 09:20:00 2008 GMT > Not After : Jul 23 09:20:00 2009 GMT > [EMAIL PROTECTED] data]# openssl x509 -in root.crt -text | grep Not > Not Before: Nov 12 16:03:00 2006 GMT > Not After : Nov 11 16:03:00 2011 GMT >
Then I suggest you run the following command on those systems too: openssl verify -CAfile root.crt other.crt Where "other.crt" is the EE certificate, server.crt or posgresql.crt >> The best I can suggest at this point is modifying OpenSSL or the >> application to >> dump out any expired certificates to a temp file so you can see which >> one(s) >> it is complaining about. > > That would be helpful. But how could I do that? What file should I change? > Is there a patch/howto? > In crypto/x509/x509_vfy.c the function check_cert_time() is the one you need. Around the line with X509_V_ERR_CERT_HAS_EXPIRED is the certificate it thinks has expired "x". Suggest you dump that out to a temp file using PEM_write_X509() > Two more remarks: > 1) Downgraded to h and restarted PostgreSQL today. (Grrr...) Still the > same error. > 2) Just a wild guess, a shot in the dark: Could this be a > locale-related > issue? Does OpenSSL use/parse text representations of dates and times? If > so, getting (for example) '9. ??íj 15.12' instead of 'Oct 9 15:12' could > result in a comparison failure if not handled properly. (But this is > probably not the case. Presumably, a binary representation (such as epoch) > is used...) > OpenSSL just uses time() and gmtime_r() (or equivalent) and relies on the contents of struct tm. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
