Hi! I'm trying to set up stunnel for postgres, and cannot get it working. For the moment, I'm just trying to test locally on a Mac. I have set up postgres SSL correctly and confirmed that direct connections to the db with psql work with SSL. Here's the most promising config I've come up with: foreground = yes client = yes [postgresql] protocol = pgsql accept = 127.0.0.1:5433 connect = 127.0.0.1:5432 verify = 0 cert = /opt/homebrew/var/postgresql@16/server.crt key = /opt/homebrew/var/postgresql@16/server.key CAfile = /opt/homebrew/var/postgresql@16/ca.crt Here's what I'm getting: $ PGSSLMODE=disable psql -h 127.0.0.1 -p 5432 -U casey -d postgres -c 'select 1' -At 1 $ PGSSLMODE=require psql -h 127.0.0.1 -p 5432 -U casey -d postgres -c 'select 1' -At 1 $ PGSSLMODE=disable psql -h 127.0.0.1 -p 5433 -U casey -d postgres -c 'select 1' -At psql: error: connection to server at "127.0.0.1", port 5433 failed: server offered SCRAM-SHA-256-PLUS authentication over a non-SSL connection $ PGSSLMODE=require psql -h 127.0.0.1 -p 5433 -U casey -d postgres -c 'select 1' -At psql: error: connection to server at "127.0.0.1", port 5433 failed: FATAL: unsupported frontend protocol 1234.5679: server supports 3.0 to 3.0 Also, is it possible to connect to stunnel via UNIX socket instead of TCP? Thanks, -- Casey
Hi Casey & Gina, I want to do a postgre shift soon as well away from sql server... This is my sql server version on Windows if that could be of any help: ; ************************************************************************** ; * Global options * ; ************************************************************************** ; Debugging stuff (may be useful for troubleshooting) debug = 7 output = stunnel.log sslVersion = all sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.2 ; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; ************************************************************************** ; ***************************************** Example TLS client mode services [Sql_Sil] client = yes accept = localhost:<Port> connect = <IP>:<Port> ciphers = PSK PSKsecrets = C:\Program Files (x86)\stunnel\config\pskSQL.txt I am not aware of what a UNIX socket is, why would you want to move away from TCP? Regards, Allstar On Tue, 11 Jun 2024, 18:35 Casey & Gina, <cg@osss.net> wrote:
Hi! I'm trying to set up stunnel for postgres, and cannot get it working. For the moment, I'm just trying to test locally on a Mac. I have set up postgres SSL correctly and confirmed that direct connections to the db with psql work with SSL.
Here's the most promising config I've come up with:
foreground = yes
client = yes
[postgresql]
protocol = pgsql
accept = 127.0.0.1:5433
connect = 127.0.0.1:5432
verify = 0
cert = /opt/homebrew/var/postgresql@16/server.crt
key = /opt/homebrew/var/postgresql@16/server.key
CAfile = /opt/homebrew/var/postgresql@16/ca.crt
Here's what I'm getting:
*$ *PGSSLMODE=disable psql -h 127.0.0.1 -p 5432 -U casey -d postgres -c 'select 1' -At
1
*$ *PGSSLMODE=require psql -h 127.0.0.1 -p 5432 -U casey -d postgres -c 'select 1' -At
1
*$ *PGSSLMODE=disable psql -h 127.0.0.1 -p 5433 -U casey -d postgres -c 'select 1' -At
psql: error: connection to server at "127.0.0.1", port 5433 failed: server offered SCRAM-SHA-256-PLUS authentication over a non-SSL connection
*$ *PGSSLMODE=require psql -h 127.0.0.1 -p 5433 -U casey -d postgres -c 'select 1' -At
psql: error: connection to server at "127.0.0.1", port 5433 failed: FATAL: unsupported frontend protocol 1234.5679: server supports 3.0 to 3.0
Also, is it possible to connect to stunnel via UNIX socket instead of TCP?
Thanks, -- Casey _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Hi Casey/Gina: This is an old thread, but in case it was not solved, you may try prepending PGGSSENCMODE=disable to your pgsql command. This is an issue in postgresql versions dealing with SSL/GSS protocol negotiation, RegardsJose On Tuesday, June 11, 2024 at 11:35:04 AM GMT-5, Casey & Gina <cg@osss.net> wrote: Hi! I'm trying to set up stunnel for postgres, and cannot get it working. For the moment, I'm just trying to test locally on a Mac. I have set up postgres SSL correctly and confirmed that direct connections to the db with psql work with SSL. Here's the most promising config I've come up with: foreground = yes client = yes [postgresql] protocol = pgsql accept = 127.0.0.1:5433 connect = 127.0.0.1:5432 verify = 0 cert = /opt/homebrew/var/postgresql@16/server.crt key = /opt/homebrew/var/postgresql@16/server.key CAfile = /opt/homebrew/var/postgresql@16/ca.crt Here's what I'm getting: $ PGSSLMODE=disable psql -h 127.0.0.1 -p 5432 -U casey -d postgres -c 'select 1' -At 1 $ PGSSLMODE=require psql -h 127.0.0.1 -p 5432 -U casey -d postgres -c 'select 1' -At 1 $ PGSSLMODE=disable psql -h 127.0.0.1 -p 5433 -U casey -d postgres -c 'select 1' -At psql: error: connection to server at "127.0.0.1", port 5433 failed: server offered SCRAM-SHA-256-PLUS authentication over a non-SSL connection $ PGSSLMODE=require psql -h 127.0.0.1 -p 5433 -U casey -d postgres -c 'select 1' -At psql: error: connection to server at "127.0.0.1", port 5433 failed: FATAL: unsupported frontend protocol 1234.5679: server supports 3.0 to 3.0 Also, is it possible to connect to stunnel via UNIX socket instead of TCP? Thanks,-- Casey_______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
participants (3)
-
Casey & Gina -
d3rIIIe15ter Tier -
Jose Alf.