Re: [ADMIN] SSL Mode

Mon, 23 Dec 2002 14:29:03 -0800 

Patch attached.  Will appear in 7.3.2 and 7.4.

---------------------------------------------------------------------------

Bruce Momjian wrote:
> Dan Langille wrote:
> > On Mon, 23 Dec 2002, Tom Lane wrote:
> > 
> > > "Rob Abernethy IV" <[EMAIL PROTECTED]> writes:
> > > > I cannot get the postmaster to start up in SSL mode.  I receive the following
> > > > error:
> > > > bad permissions on private key file (/var/lib/pgsql/data/server.key)
> > >
> > > > -rw-r--r--    1 postgres postgres     3223 Dec 18 17:10 server.crt
> > > > -rw-r--r--    1 postgres postgres      887 Dec 18 17:10 server.key
> > >
> > > I think it wants the private key file to be mode 600 or less --- a
> > > world-readable private key isn't very private, hmm?
> > 
> > Is this a good candidate for error message improvement?
> 
> Yes.  I will take care of it.
> 
> -- 
>   Bruce Momjian                        |  http://candle.pha.pa.us
>   [EMAIL PROTECTED]               |  (610) 359-1001
>   +  If your life is a hard drive,     |  13 Roberts Road
>   +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/be-secure.c,v
retrieving revision 1.20
diff -c -c -r1.20 be-secure.c
*** src/backend/libpq/be-secure.c       18 Dec 2002 13:15:12 -0000      1.20
--- src/backend/libpq/be-secure.c       23 Dec 2002 22:13:12 -0000
***************
*** 616,622 ****
                if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) ||
                        buf.st_uid != getuid())
                {
!                       postmaster_error("bad permissions on private key file (%s)", 
fnbuf);
                        ExitPostmaster(1);
                }
                if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
--- 616,624 ----
                if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) ||
                        buf.st_uid != getuid())
                {
!                       postmaster_error("bad permissions on private key file (%s)\n"
! "File must be owned by the proper user and must have no permissions for\n"
! "\"group\" or \"other\".", fnbuf);
                        ExitPostmaster(1);
                }
                if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Reply via email to