[GENERAL] Refresh Postgres SSL certs?
Hello, In light of the Heartbleed OpenSSL bug[0,1], I'm wondering if I need to regenerate the SSL certs on my postgres installations[2] (at least the ones listening on more than localhost)? On Ubuntu it looks like there are symlinks at /var/lib/postgresql/9.1/main/server.{crt,key} pointing to /etc/ssl/private/ssl-cert-snakeoil.{pem,key}. Is there any documentation on how to regenerate these? Are they self-signed? Can I replace them with my own self-signed certs, like I'd do with Apache or Nginx? Thanks! Paul [0] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 [1] http://heartbleed.com/ [2] http://www.postgresql.org/docs/9.1/static/ssl-tcp.html -- _ Pulchritudo splendor veritatis. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Refresh Postgres SSL certs?
On Wed, Apr 09, 2014 at 12:28:14PM -0700, Paul Jungwirth wrote: Hello, In light of the Heartbleed OpenSSL bug[0,1], I'm wondering if I need to regenerate the SSL certs on my postgres installations[2] (at least the ones listening on more than localhost)? On Ubuntu it looks like there are symlinks at /var/lib/postgresql/9.1/main/server.{crt,key} pointing to /etc/ssl/private/ssl-cert-snakeoil.{pem,key}. Is there any documentation on how to regenerate these? Are they self-signed? Can I replace them with my own self-signed certs, like I'd do with Apache or Nginx? Have you read the Debian README? /usr/share/doc/postgresql-*/README.Debian.gz It talks about how the certificates are made. It uses the ssl-cert package to make them, there's more docs there. Yes, you can make your own self-signed certs and use them. Have a nice day, -- Martijn van Oosterhout klep...@svana.org http://svana.org/kleptog/ He who writes carelessly confesses thereby at the very outset that he does not attach much importance to his own thoughts. -- Arthur Schopenhauer signature.asc Description: Digital signature
Re: [GENERAL] Refresh Postgres SSL certs?
Have you read the Debian README? /usr/share/doc/postgresql-*/README.Debian.gz Thank you for pointing me to that file. From /etc/share/doc/ssl-cert/README it sounds like the old snakeoil cert is already self-signed, so that's promising. So I take it that psql and the postgres client library won't object to a self-signed cert. Do they do any kind of certificate pinning or other caching of the old cert? Or can I just replace the cert, restart the postgres server, and be done? Thanks, Paul -- _ Pulchritudo splendor veritatis. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Refresh Postgres SSL certs?
On Wed, Apr 09, 2014 at 12:59:53PM -0700, Paul Jungwirth wrote: Have you read the Debian README? /usr/share/doc/postgresql-*/README.Debian.gz Thank you for pointing me to that file. From /etc/share/doc/ssl-cert/README it sounds like the old snakeoil cert is already self-signed, so that's promising. So I take it that psql and the postgres client library won't object to a self-signed cert. Do they do any kind of certificate pinning or other caching of the old cert? Or can I just replace the cert, restart the postgres server, and be done? No pinning, no caching. Have a nice day, -- Martijn van Oosterhout klep...@svana.org http://svana.org/kleptog/ He who writes carelessly confesses thereby at the very outset that he does not attach much importance to his own thoughts. -- Arthur Schopenhauer signature.asc Description: Digital signature