Having some problems (still, hehe) getting SSL to work properly on
windows in the new 8.0 (all vers) environment (where cert/key is required).

On the client side when not finding the certificate/key psql would
report the SSL error sslv3 alert handshale failure. After I figured out
where psql was looking for the files and placing them there I now get
the error: SSL SYSCALL error: Connection reset by peer
(0x00002746/10054). On the server side it still reports that the peer
did not return a certificate.

I am able to connect to the server just fine using the same
certificate/key on a linux machine...so I'm guessing it's just another
good ol' windows issue?


---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Did we ever find the solution to this, or did anyone find the cause?

---------------------------------------------------------------------------

T.J. wrote:
--
Bruce Momjian | http://candle.pha.pa.us
pgman (AT) candle (DOT) pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

Not to my knowledge. By the way, for future reference on windows it
looks for the cert/key in the linux equivalent of
`pwd`/.postgresql/postgresql.crt/key, instead of
$HOME/.postgresql/postgresql.crt/key. Maybe you already knew this but I
had to do testing to figure it out so hopefully that bit of knowledge
will be of use to someone else

I tried looking through the source myself for the cause of this problem
but I guess there's a reason my perl is so sharp and c so rusty these days..

Don't know if it makes much difference but I have built with vcwin and
mingw with the same resulting error.

Bruce Momjian wrote:



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo (AT) postgresql (DOT) org)

"T.J." <tjtoocool (AT) phreaker (DOT) net> writes:
Actually, it asks getpwuid() for the user's home directory,
rather than looking for an environment variable named HOME.
See client_cert_cb() in fe-secure.c.

This could probably be documented better, but I'm not sure how.
The average user is even less likely to be familiar with getpwuid()
than $HOME, so it doesn't seem like referencing that library function
is much of an improvement.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo (AT) postgresql (DOT) org

After some more screwing around, I'm not entirely certain windows is
even trying to open my certs. After repeatedly trying to connect it
seemed like I was getting an equal amount of the sslv3 and SSL SYSCALL
errors, whether or not the certs were (where I thought?) windows was
looking for them..

Which leads me to my next question; that function client_cert_cb, does
it ever get executed on windows?

I mean, that's the function with the useful error messages (that helped
me on linux), is it not? And the error messages on windows are anything
but useful...and at the beginning of that function there is a:

#ifdef WIN32
return 0;
#else
... (function)
return 1;
#endif

Tom Lane wrote:



---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

"T.J." <tjtoocool (AT) phreaker (DOT) net> writes:
Um. Looks like someone ifdef'd it out :-(. In fact, if you look
through fe-secure.c, you'll see that just about all the SSL code is
ifdef'd out on Windows.

Try removing the #ifs and see if it compiles.

win32 hackers, anyone know why it's like this?

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Yeah I already tried removing the ifdef's...oh BOY was it not happy :'(

Tom Lane wrote:



---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

I wrote:
Looking through the code, it seems that it's because someone thought
that breaking SSL would be easier than replacing the pqGetpwuid() calls
that are used to find out the user's home directory.

Does Windows even have a concept of home directory? What would be a
reasonable equivalent to ~/.postgresql/ ?

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo (AT) postgresql (DOT) org)

Tom Lane wrote:

The versions of windows that the port supports (NT4, 2000, 2003, XP) do
have home directories. The "Documents and Settings" (except NT 4 which
uses "Profiles") directory in windows is like /home in Unix. Using my
XP Pro box, I see two relevant environment variables HOMEDRIVE, and
HOMEPATH. On my box they are set as follows:
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\matthew
So: ~/.postgresql/ = C:\Documents and Settings\matthew\.postgresql\

Hope that helps.

Matthew


---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

"Matthew T. O'Connor" <matthew (AT) zeut (DOT) net> writes:
OK ... are you supposed to find it out by looking at the environment
vars, or is there another API defined?

I am planning to consolidate the platform dependency into a function
defined like

static bool pqGetHomeDirectory(char *buf, int bufsize)
{
-- Obtain pathname of user's home directory, store in
-- buf[] (of size bufsize)
-- Return TRUE if succeeded, FALSE if not
}

If someone can whip up and test a WIN32 version of this, I'll take care
of the rest.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo (AT) postgresql (DOT) org