Certificate for SQLDatabaseMBS

David_Cox · June 19, 2015, 10:10am

I have a PostgreSQL database with a valid SSL certificate and the SSL options turned on (in postgres.conf). Where do I place the settings in my connection to tell my SQLDatabaseMBS database to connect using that SSL certificate, or is it automatic? I would assume I would need something like:

tempSQLDatabaseMBS.Option("POSTGRES_SECURE_AUTH") = "true" tempSQLDatabaseMBS.Option("POSTGRES_CERTIFICATE") = "cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256"

Christian_Schmitz · June 19, 2015, 11:14am

I haven’t tried PostgreSQL with SSL yet. But all option described there:

http://www.postgresql.org/docs/9.4/static/libpq-connect.html

you can pass options to libpq with connection string. The default format is:

“[<server_name>]@][database_name][;]”

“” here is only the server command line options like described by the link above. However you can use any parameters with [database_name] like:

SAConnection con;
con.Connect(“myserverhost@dbname=‘test db’ connection_timeout=30 client_encoding=utf8 application_name=‘my app’ sslmode=require …”,

Can you try?

David_Cox · June 19, 2015, 3:13pm

These techniques did not work (would not connect):

tempSQLDatabaseMBS.DatabaseName = "postgres:" + myHost + "," + str(myPort) + "@" + myDatabaseName + ";sslmode=verify-full" tempSQLDatabaseMBS.DatabaseName = "postgres:" + myHost + "," + str(myPort) + "@" + myDatabaseName + ";sslmode=require"
but these did work:

tempSQLDatabaseMBS.Option("sslmode") = "verify-full" tempSQLDatabaseMBS.Option("sslmode") = "require"
or else the later two are being ignored!

Christian_Schmitz · June 19, 2015, 3:23pm

so it’S working for you?

David_Cox · June 19, 2015, 3:25pm

I’m not sure! Should the tempSQLDatabaseMBS.Option(“sslmode”) = “verify-full” technique work? If so, then yes it’s working.

Christian_Schmitz · June 19, 2015, 4:24pm

Well, you can check network traffic…

RenéLandscheidt · June 19, 2015, 7:05pm

Another Questions is how is your pg_hba.conf cinfigured.

I for example disalow any connection not ssl encrypted, by using the hostssl allow directive and host(s) deny directive in said config file.

Any Not Encrypted Connection is denied access. So you would now if it uses SSL this way because else the connection will not work.

Gave me a problem when i compiled an app of mine with the new xojo version because some time ago (the xojo db plugins) had their SSLMode set to SSLDisabled in the Default Config (The RealStudio Version at least where set to SSLAllow). So my App couldn’t Connect to the DB because it didn’t even try to connect per SSL.

David_Cox · June 22, 2015, 8:49am

Ren, I have SSL turned on in postgres.conf, but not as required that would be a good test. Thank you.