The db_postgres documentation doesn't say much about anything, really...
Is there support for TLS connections and how do I configure it if it exist?
Thanks, /O
Olle E. Johansson schrieb:
The db_postgres documentation doesn't say much about anything, really...
Is there support for TLS connections and how do I configure it if it exist?
Do you need client authentication? If not, AFAIK the connection the postgresql is TLS if configured on the postgresql server.
/etc/postgresql/8.1/main/pg_hba.conf:
# This file controls: which hosts are allowed to connect, how clients # are authenticated, which PostgreSQL user names they can use, which # databases they can access. Records take one of these forms: # # local DATABASE USER METHOD [OPTION] # host DATABASE USER CIDR-ADDRESS METHOD [OPTION] # hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION] # hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION] # # (The uppercase items must be replaced by actual values.) # # The first field is the connection type: "local" is a Unix-domain socket, # "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an # SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
7 okt 2009 kl. 09.47 skrev Klaus Darilion:
Olle E. Johansson schrieb:
The db_postgres documentation doesn't say much about anything, really... Is there support for TLS connections and how do I configure it if it exist?
Do you need client authentication? If not, AFAIK the connection the postgresql is TLS if configured on the postgresql server.
Well, I need to be able to control the server certificate verification on the client side. And have an option to enable/disable SSL, set crypto mechanisms, authentication options and so on...
/etc/postgresql/8.1/main/pg_hba.conf:
# This file controls: which hosts are allowed to connect, how clients # are authenticated, which PostgreSQL user names they can use, which # databases they can access. Records take one of these forms: # # local DATABASE USER METHOD [OPTION] # host DATABASE USER CIDR-ADDRESS METHOD [OPTION] # hostssl DATABASE USER CIDR-ADDRESS METHOD [OPTION] # hostnossl DATABASE USER CIDR-ADDRESS METHOD [OPTION] # # (The uppercase items must be replaced by actual values.) # # The first field is the connection type: "local" is a Unix-domain socket, # "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an # SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
Happily, I am able to cover the whole server thing with a SEP field. Somebody-elses-problem :-)
Thanks!
/O
Olle E. Johansson schrieb:
7 okt 2009 kl. 09.47 skrev Klaus Darilion:
Olle E. Johansson schrieb:
The db_postgres documentation doesn't say much about anything, really... Is there support for TLS connections and how do I configure it if it exist?
Do you need client authentication? If not, AFAIK the connection the postgresql is TLS if configured on the postgresql server.
Well, I need to be able to control the server certificate verification on the client side. And have an option to enable/disable SSL, set crypto mechanisms, authentication options and so on...
Never done that.
http://www.postgresql.org/docs/8.4/static/libpq-ssl.html
regards klaus
7 okt 2009 kl. 10.05 skrev Klaus Darilion:
Olle E. Johansson schrieb:
7 okt 2009 kl. 09.47 skrev Klaus Darilion:
Olle E. Johansson schrieb:
The db_postgres documentation doesn't say much about anything, really... Is there support for TLS connections and how do I configure it if it exist?
Do you need client authentication? If not, AFAIK the connection the postgresql is TLS if configured on the postgresql server.
Well, I need to be able to control the server certificate verification on the client side. And have an option to enable/ disable SSL, set crypto mechanisms, authentication options and so on...
Never done that.
Neither have I but there's a first time for everything, like the first kiss and the first TLS connection ;-) And in most cases, you want to know the other subject before proceeding...
I hope that someone has done this, otherwise I have to boldly go where no man has gone before.
I have found some information that I can create a file in the user's home directory with some config options, but that doesn't seem like something that is easy to manage. Better to force it into the kamailio configuration file.
I'll spend some time with doing this for Asterisk today, and if I'm successful I can port some of that over to Kamailio/SIP-router.
/O
-
Klaus Darilion -
Olle E. Johansson