*** URGENT *** SSL Documentation?!

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for PostgreSQL
Post Reply
hmuscroft
Posts: 23
Joined: Tue 28 Nov 2006 10:07

*** URGENT *** SSL Documentation?!

Post by hmuscroft » Fri 28 Aug 2009 20:11

I have an urgent requirement to implement SSL in my application.

However, the documentation you have provided is out of date and incorrect. The documentation gives this example :-

Code: Select all

PgSqlConnection conn = new PgSqlConnection("user id=postgres;password=postgres;host=localhost;");
conn.SslOptions.Cert = "E:\Test\client.p12";
conn.SslOptions.Password = "";
conn.SslOptions.TargetHost = "pg_server";
conn.SslOptions.SslMode = SslMode.Require;
conn.Open();
This is completely incorrect and won't even compile. According to IntelliSense, the actual members of 'SslOptions' are :-

CACert = location of authority certificate
Cert = location of client certificate
CipherList = list of ciphers the client agrees to use
Key = location of users private key
SslMode =

Please will you provide an in-depth guide on how to set this up? Also, according to the PostgreSQL documentation here :-
http://www.postgresql.org/docs/8.1/static/ssl-tcp.html
When the root.crt file is not present, client certificates will not be requested or checked. In this mode, SSL provides communication security but not authentication.
...client authentication is optional and we should be able to omit it and only encrypt the communication without any client authentication. I have already implemented this with my client's PostgreSQL installation - please can you let me know how to implement this with your provider?

Thanks, Hedley

Shalex
Site Admin
Posts: 8246
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Mon 31 Aug 2009 07:54

1. We have sent you by e-mail the updated Using Secure Connections article. It will be available in our documentation in the nearest future.

2. If root.crt is not set at the PostgreSQL server side, server will not check the client certificate (client.crt and client.key are not necessary to be set at the client side, because they will not be used).
If root.crt is not set at the client side, client will not check the server certificate.
Therefore, server and client should be configured without root.crt to use SSL without authentication.

hmuscroft
Posts: 23
Joined: Tue 28 Nov 2006 10:07

Post by hmuscroft » Mon 31 Aug 2009 09:05

Thanks Shalex - got it up-and-running now. There's a typo in the documentation. It says :-
- client certificate (for example client.crt) - used to encrypt and decrypt data during connection.
- private key (for example client.crt) - proves client certificate sent by owner; does not indicate certificate owner is trustworthy.
The second item should read "private key (for example client.key)".

Thanks again.

Post Reply