search

rapidloop / pgmetrics

Collect and display information and stats from a running PostgreSQL server
https://pgmetrics.io
Apache License 2.0
960 stars 65 forks source link

Authentication by client cert does not work #19

Closed mc3 closed 5 years ago

mc3 commented 5 years ago

ajr$ psql -h db2 -p 2222 Timing is on. SET Time: 0,578 ms search_path

erdb, syslog, pki, dd, ext_ip4r, archiveopteryx, public (1 row)

Time: 0,617 ms psql (10.3, server 10.5) SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help.

operations=# \q ajr$ PGSSLMODE=require pgmetrics -h db2 -p 2222 -w pgmetrics: remote error: tls: handshake failure ajr$

In pg_hba.conf the related line is hostssl ... cert clientcert=1

mdevan commented 5 years ago

Are the env. vars. PGSSLCERT and PGSSLKEY set and pointing to valid files?

If not, do the files ~/.postgresql/postgresql.crt and ~/.postgresql/postgresql.key exist?

mc3 commented 5 years ago

Am 01.11.2018 um 16:32 schrieb Mahadevan notifications@github.com:

Are the env. vars. PGSSLCERT and PGSSLKEY set and pointing to valid files?

They are not set. If not, do the files ~/.postgresql/postgresql.crt and ~/.postgresql/postgresql.key exist?

They exist as links to cert and key.

PGP-Key:29E99DD6 ☀ computing @ chaos claudius

mdevan commented 5 years ago

The reason is that the cipher DHE-RSA-AES256-GCM-SHA384 is not supported by pgmetrics. Only the ECDHE-* variants are supported.

It's not clear why this cipher was chosen by your server. You can try getting PostgreSQL to use ECDHE-RSA-AES256-GCM-SHA384 instead, by including this value in the ssl_ciphers setting.

mc3 commented 5 years ago

Am 22.12.2018 um 13:03 schrieb Mahadevan notifications@github.com:

The reason is that the cipher DHE-RSA-AES256-GCM-SHA384 is not supported by pgmetrics. Only the ECDHE-* variants are supported.

It's not clear why this cipher was chosen by your server. You can try getting PostgreSQL to use ECDHE-RSA-AES256-GCM-SHA384 instead, by including this value in the ssl_ciphers setting.

I changed my ssl_ciphers in the server config to: ssl_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA (Thanks for the advice (-:), but:

ajr$ pgmetrics -h db2 -p 2222 -w -f human operations pgmetrics: pq: no pg_hba.conf entry for host "2a05:bec0:26:10::124", user "ajr", database "operations", SSL off ajr$ psql -p 2222 Timing is on. SET Time: 0,591 ms search_path

erdb, syslog, pki, dd, ext_ip4r, archiveopteryx, public (1 row)

Time: 0,561 ms psql (10.5, server 10.6) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128, compression: off) Type "help" for help.

Axel PS: There is a client certificate in use

PGP-Key:29E99DD6 ☀ computing @ chaos claudius

mdevan commented 5 years ago

pgmetrics is trying to connect without SSL (this is the default behavior). Can you try:

PGSSLMODE=require pgmetrics -h db2 -p 2222 -w -f human operations

mc3 commented 5 years ago

Am 23.12.2018 um 04:45 schrieb Mahadevan notifications@github.com:

pgmetrics is trying to connect without SSL (this is the default behavior). Can you try:

PGSSLMODE=require pgmetrics -h db2 -p 2222 -w -f human operations

With server setting

ssl_ciphers = 'ECDHE:DHE+HIGH:!eNULL:!aNULL:!MD5:!RC2:!RC4:@STRENGTH' ssl_prefer_server_ciphers = on

it works. Thanks for this nice program.

Axel

PGP-Key:29E99DD6 ☀ computing @ chaos claudius