Closed mc3 closed 5 years ago
Are the env. vars. PGSSLCERT
and PGSSLKEY
set and pointing to valid files?
If not, do the files ~/.postgresql/postgresql.crt
and ~/.postgresql/postgresql.key
exist?
Am 01.11.2018 um 16:32 schrieb Mahadevan notifications@github.com:
Are the env. vars. PGSSLCERT and PGSSLKEY set and pointing to valid files?
They are not set. If not, do the files ~/.postgresql/postgresql.crt and ~/.postgresql/postgresql.key exist?
They exist as links to cert and key.
PGP-Key:29E99DD6 ☀ computing @ chaos claudius
The reason is that the cipher DHE-RSA-AES256-GCM-SHA384
is not supported by pgmetrics. Only the ECDHE-*
variants are supported.
It's not clear why this cipher was chosen by your server. You can try getting PostgreSQL to use ECDHE-RSA-AES256-GCM-SHA384
instead, by including this value in the ssl_ciphers
setting.
Am 22.12.2018 um 13:03 schrieb Mahadevan notifications@github.com:
The reason is that the cipher DHE-RSA-AES256-GCM-SHA384 is not supported by pgmetrics. Only the ECDHE-* variants are supported.
It's not clear why this cipher was chosen by your server. You can try getting PostgreSQL to use ECDHE-RSA-AES256-GCM-SHA384 instead, by including this value in the ssl_ciphers setting.
I changed my ssl_ciphers in the server config to: ssl_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA (Thanks for the advice (-:), but:
erdb, syslog, pki, dd, ext_ip4r, archiveopteryx, public (1 row)
Time: 0,561 ms psql (10.5, server 10.6) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES128-GCM-SHA256, bits: 128, compression: off) Type "help" for help.
PGP-Key:29E99DD6 ☀ computing @ chaos claudius
pgmetrics is trying to connect without SSL (this is the default behavior). Can you try:
PGSSLMODE=require pgmetrics -h db2 -p 2222 -w -f human operations
Am 23.12.2018 um 04:45 schrieb Mahadevan notifications@github.com:
pgmetrics is trying to connect without SSL (this is the default behavior). Can you try:
PGSSLMODE=require pgmetrics -h db2 -p 2222 -w -f human operations
With server setting
ssl_ciphers = 'ECDHE:DHE+HIGH:!eNULL:!aNULL:!MD5:!RC2:!RC4:@STRENGTH' ssl_prefer_server_ciphers = on
it works. Thanks for this nice program.
PGP-Key:29E99DD6 ☀ computing @ chaos claudius
ajr$ psql -h db2 -p 2222 Timing is on. SET Time: 0,578 ms search_path
erdb, syslog, pki, dd, ext_ip4r, archiveopteryx, public (1 row)
Time: 0,617 ms psql (10.3, server 10.5) SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help.
operations=# \q ajr$ PGSSLMODE=require pgmetrics -h db2 -p 2222 -w pgmetrics: remote error: tls: handshake failure ajr$
In pg_hba.conf the related line is hostssl ... cert clientcert=1