Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wc0Br-0030s7-1O for pgsql-general@arkaria.postgresql.org; Tue, 23 Jun 2026 12:25:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wc0Bq-00Bodp-0u for pgsql-general@arkaria.postgresql.org; Tue, 23 Jun 2026 12:25:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wc0Bp-00Bodh-2G for pgsql-general@lists.postgresql.org; Tue, 23 Jun 2026 12:25:17 +0000 Received: from mail-dl1-x1231.google.com ([2607:f8b0:4864:20::1231]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wc0Bm-00000001k9K-3viH for pgsql-general@lists.postgresql.org; Tue, 23 Jun 2026 12:25:16 +0000 Received: by mail-dl1-x1231.google.com with SMTP id a92af1059eb24-1397e093f90so3539180c88.1 for ; Tue, 23 Jun 2026 05:25:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1782217513; cv=none; d=google.com; s=arc-20240605; b=D0wAX2GCpCWxKU3RzVWWN3UZp4+I4ItXuhr8g/7uiGx7PefL2DmyMUWng11COcqLnI F9qPaOPeoOMzcASN7boKym3VtwA82+xtbYFU+VQGQ4X4dSNuhMpEhC0AFzan2mluvzlE jtAt5YyZ7f65RBLwld2Dhx9E0+d/a9ygVfR2nm2f7tznr1WHnVOoh+l/Mf/gqscPtsNj L4V7CKo6RcvfdzKcyPt9v7wJ0/l2qsK+0BUhKlH0iHYUB0Cvg5Ye6hcRKB+Ik3HFWUKT cZcbAXbNNuj+h9arF1GOTN5rjMtCV3OhY+XRWDUeJVDpjIoImwYKzd6JBoZWKhiiBReG a4Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=76nLKp6pWeY2AzY0G+rg/H8RLP4DrId0NFXuaucnE4Y=; fh=9fYW1w+C8R+Uz+xc39rcVIRjBn15pnXRkmIjxsCA9IU=; b=akAJgVQsxy+r6ayE5nExUGj2l0XlBzRe7pscg1aNQVM1FbzkAHL0jxMHIvj52/mizq dQEyCYhaCSKjq4ri1bRERX4s7YmiCdubw9Ggy/GvOobmr9oxFBnxspA8IItVF6Jd5kVT kAePk4kuxx0ZT2VHwyuunMLgIcZcXMZWeSOxiDgxS5rzfpShwGt3mveLGTjtHxzO10Q7 j0BZLJ0pVYzw7TznCGwVO6/b9vxjyZCe2seOOVYOBSIUvILz1Q+7e5NSBW2NitTr0uF6 UxL+Kc6FPERcSpamB+S03Yph+eO7vj2AUmATkpdd1CMQUVKOva+LZth0qT2kYjNS6UWj vwUg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782217513; x=1782822313; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=76nLKp6pWeY2AzY0G+rg/H8RLP4DrId0NFXuaucnE4Y=; b=W2PC1pQRR+I/NcKVQFHaiGVBby/XmPgQ5i8prVVTuf/Ebu75fxHnuI4pzdaf33xQZf YSTLMk52nBPRKJPOQ5PbfkPyYJjhsXoiMhvHG3Zxh5L5FFXVp5a1ByzlsBGRi5S0SsS0 ERSqTqBNw2yYc1arp2bufMS/Zd2D8tA3Jy1zf+8CrGj0AwqyzPWDnx1l8Bg/3BzT+UkY VA9+Nm/6LY8/oc3F3zDh1k3GAAFw1t24/7dUt6lkNZmAygO1n6ap7bH0vKxlRnGrdDyR LnC2q9bggiKD19t5CVsFnkq1qhc1aDX0IVN405g3H8LIUlDwPxl7WNTtVd5YAF8of7VP 6A8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782217513; x=1782822313; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=76nLKp6pWeY2AzY0G+rg/H8RLP4DrId0NFXuaucnE4Y=; b=Nv7HJpngPwP9ea7GlGdeGTLBhuOxCfA8EG73eAZVMV008yS77pHTTqyAlAg6gsx35w X9BIo4ecviQwiC2iq2+CPfS9A0Zq3jpO/Kv+ad4jWMZABMQvvK4kjBroMSxqKY+RwXJZ zfhMvOyVWk+xHRRAtzrjZWWecmxOIOpLJn+MMtATZzG2qT+shboK3kJto9/pd6BOBTL3 3HFmzhKBrxJ3h0KwUgXkoQGMJVcR3fh6Xcdg6LtDFYz4Xwc88db5bL2iX20Dylog80GN dtuo/mW3eVIoxEB8JF/gMFiB5G4yjEZ2c++oDS4FiXjsLFilP3nKPJIkth+gay/5rGfq Eo9A== X-Gm-Message-State: AOJu0Yx222aejpwc0D+oQ4vI2LvAVY+6LBdM4AjLiKsT6/YqXB1y6zMC LGs/wS50MXmpD+m6mrzkzrHJlr12Nn5PSf0FPKMNHcgo7gk8u2xh09N31Vuu5nIqKqCzyt69eLK L7RC4Ur3M2nKcsULLEfadKg/nKHdKhws= X-Gm-Gg: AfdE7clRJzz1REI7HjrR6x96z13EqQOgRTJqUrQcBcZ1FMHhUQixMbHaTKeK7RcnctY EMfyxulxQQ3zH/0PCaN1kSbSCaxeWqG6BQRGiJ4uJMCK/zyvRx3IHDKf+JNGcwruuzHvpT9Ayho CdZ/YTdmc8EX8EJyHALfjNr1XYs+BNj4UkIf1t1c5iHZ0twYjcmk4NUn8cVWetgbFmyx+dT2j5q ZSpzm+6XrFzw2dKgIjjV5EFZx/FeOw2v5WoEc1LwUNs4147CkSnQvUZAdKt3oGzwznaD1jCwNOJ 4SfqxQ5sCKovMQ5j/og73ThR9y3pgWwE2E1XbLfhCz61+0uZbLx0Ma0D X-Received: by 2002:a05:7022:1a81:b0:139:9f6f:2eee with SMTP id a92af1059eb24-139a369a9dfmr11703200c88.36.1782217513220; Tue, 23 Jun 2026 05:25:13 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Joan Frey Date: Tue, 23 Jun 2026 14:25:00 +0200 X-Gm-Features: AVVi8CcQXXeKmRaZjKXsBydmJViMjWH-sz72st7PRYakc2y3t1SIg7eXs_iQAUQ Message-ID: Subject: Re: PostgreSQL server with SSL To: Matthias Apitz Cc: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000c9be200654ead95c" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000c9be200654ead95c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I could only find this error message related to an error with the openssl version. This issue was apparently patched with pg15.6 ( https://www.postgresql.org/docs/release/15.6/) I suggest that you update to the latest minor version and retry. Le mar. 23 juin 2026 =C3=A0 14:00, Matthias Apitz a =C3= =A9crit : > El d=C3=ADa martes, junio 23, 2026 a las 01:19:00 +0200, Joan Frey escrib= i=C3=B3: > > > Hi Matthias, > > > > *How could I enable more logging about the SSL session problem?* > > > > You can edit the following parameters in postgresql.conf: > > log_connections =3D on > > log_min_messages =3D [debug5, debug4, debug3, debug2, debug1, info, > notice, > > warning, error, log, fatal, panic] > > > > Reload postgres and then check the postgresql logs > > > Thanks, > > With > > log_connections =3D on > log_min_messages =3D debug5 > > I see in the log file the following messages (without a hint, why it > fails to accept SSL): > > 2026-06-23 13:41:08.704 CEST [31292] DEBUG: forked new backend, pid=3D99= 4 > socket=3D9 > 2026-06-23 13:41:08.704 CEST [994] LOG: connection received: > host=3D10.49.210.27 port=3D50775 > 2026-06-23 13:41:08.777 CEST [994] DEBUG: SSL: handshake start: "before > SSL initialization" > 2026-06-23 13:41:08.777 CEST [994] DEBUG: SSL: accept loop: "before SSL > initialization" > 2026-06-23 13:41:08.777 CEST [994] DEBUG: SSL: accept exit (-1): "before > SSL initialization" > 2026-06-23 13:41:08.777 CEST [994] LOG: could not accept SSL connection: > Socket operation on non-socket > 2026-06-23 13:41:08.777 CEST [994] DEBUG: SSL connection from > DN:"(anonymous)" CN:"(anonymous)" > 2026-06-23 13:41:08.777 CEST [994] DEBUG: shmem_exit(0): 0 > before_shmem_exit callbacks to make > 2026-06-23 13:41:08.777 CEST [994] DEBUG: shmem_exit(0): 0 on_shmem_exit > callbacks to make > 2026-06-23 13:41:08.777 CEST [994] DEBUG: proc_exit(0): 1 callbacks to > make > 2026-06-23 13:41:08.777 CEST [994] DEBUG: exit(0) > > > > You can also force sslmode when you connect using > > psql "host=3D... port=3D5432 user=3Dsisis dbname=3Dsisis sslmode=3Dreq= uire" > > > > Cheers, > > Joan > > > > Le mar. 23 juin 2026 =C3=A0 12:31, Matthias Apitz a = =C3=A9crit > : > > > > > I have generated new SSL keys exactly as documented in > > > https://www.postgresql.org/docs/15/ssl-tcp.html > > > > > > # su - postgres > > > $ mkdir canew > > > $ cd canew > > > $ export PATH=3D/usr/local/sisis-pap/bin:$PATH > > > $ export LD_LIBRARY_PATH=3D/usr/local/sisis-pap/lib > > > $ openssl -v > > > OpenSSL 3.5.7 9 Jun 2026 (Library: OpenSSL 3.5.7 9 Jun 2026) > > > > > > $ openssl req -new -x509 -days 365 -nodes -text -out server.crt > -keyout > > > server.key -subj "/CN=3Dsrap48dxr1.dev.xxxx.org" > > > $ chmod og-rwx server.key > > > > > > $ openssl req -new -nodes -text -out root.csr -keyout root.key -sub= j > > > "/CN=3Droot.dev.xxxx.org" > > > $ chmod og-rwx root.key > > > > > > $ openssl x509 -req -in root.csr -text -days 3650 -extfile > > > /usr/local/sisis-pap/openssl.cnf -extensions v3_ca -signkey root.key > -out > > > root.crt > > > $ openssl req -new -nodes -text -out server.csr -keyout server.key > -subj > > > "/CN=3Dsrap48dxr1.dev.xxxx.org" > > > $ chmod og-rwx server.key > > > $ openssl x509 -req -in server.csr -text -days 365 -CA root.crt > -CAkey > > > root.key -CAcreateserial -out server.crt > > > > > > $ ls -l > > > insgesamt 36 > > > -rw-r--r-- 1 postgres postgres 4168 23. Jun 11:27 root.crt > > > -rw-r--r-- 1 postgres postgres 3377 23. Jun 11:24 root.csr > > > -rw------- 1 postgres postgres 1704 23. Jun 11:24 root.key > > > -rw-r--r-- 1 postgres postgres 41 23. Jun 11:28 root.srl > > > -rw-r--r-- 1 postgres postgres 4087 23. Jun 11:28 server.crt > > > -rw-r--r-- 1 postgres postgres 3391 23. Jun 11:28 server.csr > > > -rw------- 1 postgres postgres 1704 23. Jun 11:28 server.key > > > > > > In postgresql.conf the SSL section is now: > > > > > > # - SSL - > > > # > > > ssl =3D on > > > ssl_cert_file =3D '/home/postgres/canew/server.crt' > > > ssl_key_file =3D '/home/postgres/canew/server.key' > > > > > > and in pg_hba.conf the matching entry for the IP addr of my Mac is: > > > > > > hostssl all all 10.49.210.27/32 > > > password > > > host all all 10.49.210.27/32 > > > password > > > > > > With the line for 'host' the connect with the psql falls back to > non-SSL. > > > > > > $ psql -Usisis > > > Password for user sisis: > > > psql (14.15 (Homebrew), server 15.1) > > > Type "help" for help. > > > > > > sisis=3D# > > > > > > When I have only the 'hostssl' line for the IP addr 10.49.210.27 it > says > > > > > > psql -Usisis > > > psql: error: connection to server at "srap48dxr1.dev.xxxx.org" > > > (10.23.33.57), port 2345 failed: SSL SYSCALL error: EOF detected > > > connection to server at "srap48dxr1.dev.xxxx.org" (10.23.33.57), port > > > 2345 failed: FATAL: no pg_hba.conf entry for host "10.49.210.27", us= er > > > "sisis", database "sisis", no encryption > > > > > > How could I enable more logging about the SSL session problem? > > > Thanks > > > > > > matthias > > > > > > > > > El d=C3=ADa lunes, junio 22, 2026 a las 07:56:39 +0200, Matthias Apit= z > escribi=C3=B3: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > I've enabled SSL in the connection to the PostgreSQL server (16.5). > > > > All details see below. The SSL connection works fine from a remote > > > > host, for example from my MacBook, but does not work on the host > > > > itself via interface 'lo' where it gives the error message: > > > > > > > > FATAL: no PostgreSQL user name specified in startup packet > > > > connection to server at "srap48dxr1.dev.xxxx.org" (10.23.33.57)= , > > > port 5432 failed: FATAL: no PostgreSQL user name specified in startu= p > > > packet > > > > > > > > and psql crashes. Interesting observation with tcpdump is, stat the > > > > above error message is sent in clear over the network. > > > > > > > > The same picture is with all C- or Java-written software using an > ESQL/C > > > > or JDBC interface. > > > > > > > > Any idea on this? > > > > > > > > Here are the details > > > > > > > > > > > > # su - postgres > > > > $ mkdir ca > > > > $ cd ca > > > > $ export LD_LIBRARY_PATH=3D/usr/local/sisis-pap/lib > > > > $ export OPENSSL=3D/usr/local/sisis-pap/bin/openssl > > > > $ $OPENSSL version # just for testing > > > > export OPENSSL_CONFIG=3D'-config /usr/local/sisis-pap/openssl.cnf' > > > > $ /usr/local/sisis-pap/misc/CA.pl -newca > > > > ... > > > > $ /usr/local/sisis-pap/misc/CA.pl -newreq > > > > ... > > > > $ ls -l newreq.pem newkey.pem > > > > -rw------- 1 postgres postgres 1886 16. Jun 12:40 newkey.pem > > > > -rw-r--r-- 1 postgres postgres 1090 16. Jun 12:42 newreq.pem > > > > $ /usr/local/sisis-pap/misc/CA.pl -sign > > > > ... > > > > > > > > $ mv newcert.pem pg-server.crt > > > > $ mv newkey.pem pg-server.key > > > > > > > > we must remove the passphrase from the key for PostgreSQL to be abl= e > to > > > read > > > > and start the PostgreSQL server without user interaction: > > > > > > > > $ $OPENSSL rsa -in pg-server.key -out pg-passless-server.key > > > > Enter pass phrase for pg-server.key: > > > > writing RSA key > > > > > > > > Enabling SSL in postgresql.conf: > > > > > > > > $ vim /data/postgresql165/data/postgresql.conf > > > > > > > > # - SSL - > > > > > > > > ssl =3D on > > > > ssl_cert_file =3D '/home/postgres/ca/pg-server.crt' > > > > ssl_key_file =3D '/home/postgres/ca/pg-passless-server.key' > > > > ssl_ca_file =3D '/home/postgres/ca/demoCA/cacert.pem' > > > > > > > > $ vim /data/postgresql165/data/pg_hba.conf > > > > changed 'host' to 'hostssl' for the relevant lines > > > > > > > > Start of the server: > > > > > > > > # /etc/init.d/postgres165 start > > > > > > > > Connect from my MacBook to the remote host srap48dxr1.dev.xxxx.org: > > > > > > > > $ export PGHOST=3Dsrap48dxr1.dev.xxxx.org > > > > $ export PGPORT=3D5432 > > > > > > > > $ psql -Usisis sisis > > > > Password for user sisis: > > > > psql (14.15 (Homebrew), server 16.5) > > > > SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, > bits: > > > 256, compression: off) > > > > Type "help" for help. > > > > > > > > sisis=3D> > > > > > > > > > > > > Connect on the host itself: > > > > > > > > $ export PGHOST=3Dsrap48dxr1.dev.xxxx.org > > > > $ export PGPORT=3D5432 > > > > > > > > $ /usr/local/sisis-pap/pgsql-16.5/bin/psql -Usisis > > > > psql: Fehler: connection to server at "srap48dxr1.dev.xxxx.org" > > > (10.23.33.57), port 5432 failed: FATAL: no PostgreSQL user name > specified > > > in startup packet > > > > connection to server at "srap48dxr1.dev.xxxx.org" (10.23.33.57), > port > > > 5432 failed: FATAL: no PostgreSQL user name specified in startup > packet > > > > free(): invalid pointer > > > > Abgebrochen (Speicherabzug geschrieben) > > > > > > > > $ ldd /usr/local/sisis-pap/pgsql-16.5/bin/psql | egrep > 'libssl|crypto' > > > > libssl.so.3 =3D> /usr/local/sisis-pap/lib/libssl.so.3 > > > (0x00007f9ea38cb000) > > > > libcrypto.so.3 =3D> /usr/local/sisis-pap/lib/libcrypto.so.3 > > > (0x00007f9ea3000000) > > > > > > > > -- > > > > Matthias Apitz, =E2=9C=89 guru@unixarea.de, http://www.unixarea.de/ > > > +49-176-38902045 > > > > Public GnuPG key: http://www.unixarea.de/key.pub > > > > > > > > > > > > > > -- > > > Matthias Apitz, =E2=9C=89 guru@unixarea.de, http://www.unixarea.de/ > > > +49-176-38902045 > > > Public GnuPG key: http://www.unixarea.de/key.pub > > > > > > > > > > > -- > Matthias Apitz, =E2=9C=89 guru@unixarea.de, http://www.unixarea.de/ > +49-176-38902045 > Public GnuPG key: http://www.unixarea.de/key.pub > --000000000000c9be200654ead95c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I=C2=A0could only find this error message related to an er= ror with the openssl version.
This issue was apparently patched with pg= 15.6 (https://www= .postgresql.org/docs/release/15.6/)

I suggest = that you update to the latest minor version and retry.

Le=C2=A0mar. 23 juin 2026 =C3=A0=C2=A014:00, Matthias Apitz <guru@unixarea.de> a =C3=A9crit=C2=A0= :
El d=C3=ADa ma= rtes, junio 23, 2026 a las 01:19:00 +0200, Joan Frey escribi=C3=B3:

> Hi Matthias,
>
> *How could I enable more logging about the SSL session problem?*
>
> You can edit the following parameters in postgresql.conf:
> log_connections =3D on
> log_min_messages =3D=C2=A0 [debug5, debug4, debug3, debug2, debug1, in= fo, notice,
> warning, error, log, fatal, panic]
>
> Reload postgres and then check the postgresql logs


Thanks,

With

log_connections =3D on
log_min_messages =3D=C2=A0 debug5

I see in the log file the following messages (without a hint, why it
fails to accept SSL):

2026-06-23 13:41:08.704 CEST [31292] DEBUG:=C2=A0 forked new backend, pid= =3D994 socket=3D9
2026-06-23 13:41:08.704 CEST [994] LOG:=C2=A0 connection received: host=3D1= 0.49.210.27 port=3D50775
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 SSL: handshake start: "= ;before SSL initialization"
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 SSL: accept loop: "bef= ore SSL initialization"
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 SSL: accept exit (-1): &quo= t;before SSL initialization"
2026-06-23 13:41:08.777 CEST [994] LOG:=C2=A0 could not accept SSL connecti= on: Socket operation on non-socket
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 SSL connection from DN:&quo= t;(anonymous)" CN:"(anonymous)"
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 shmem_exit(0): 0 before_shm= em_exit callbacks to make
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 shmem_exit(0): 0 on_shmem_e= xit callbacks to make
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 proc_exit(0): 1 callbacks t= o make
2026-06-23 13:41:08.777 CEST [994] DEBUG:=C2=A0 exit(0)
>
> You can also force sslmode when you connect using
> psql "host=3D... port=3D5432=C2=A0 user=3Dsisis dbname=3Dsisis ss= lmode=3Drequire"
>
> Cheers,
> Joan
>
> Le mar. 23 juin 2026 =C3=A0 12:31, Matthias Apitz <guru@unixarea.de> a =C3=A9crit= :
>
> > I have generated new SSL keys exactly as documented in
> > https://www.postgresql.org/docs/15/ssl-tc= p.html
> >
> > # su - postgres
> > $ mkdir canew
> > $ cd canew
> > $ export PATH=3D/usr/local/sisis-pap/bin:$PATH
> > $ export LD_LIBRARY_PATH=3D/usr/local/sisis-pap/lib
> > $ openssl -v
> > OpenSSL 3.5.7 9 Jun 2026 (Library: OpenSSL 3.5.7 9 Jun 2026)
> >
> > $ openssl req -new -x509 -days 365 -nodes -text -out server.crt= =C2=A0 =C2=A0-keyout
> > server.key -subj "/CN=3Dsrap48dxr1.dev.xxxx.org&quo= t;
> > $ chmod og-rwx server.key
> >
> > $ openssl req -new -nodes -text -out root.csr=C2=A0 =C2=A0-keyout= root.key -subj
> > "/CN=3Droot.dev.xxxx.org"
> > $ chmod og-rwx root.key
> >
> > $ openssl x509 -req -in root.csr -text -days 3650 -extfile
> > /usr/local/sisis-pap/openssl.cnf -extensions v3_ca -signkey root.= key -out
> > root.crt
> > $ openssl req -new -nodes -text -out server.csr=C2=A0 =C2=A0-keyo= ut server.key -subj
> > "/CN=3Dsrap48dxr1.dev.xxxx.org"
> > $ chmod og-rwx server.key
> > $ openssl x509 -req -in server.csr -text -days 365=C2=A0 =C2=A0-C= A root.crt -CAkey
> > root.key -CAcreateserial=C2=A0 =C2=A0-out server.crt
> >
> > $ ls -l
> > insgesamt 36
> > -rw-r--r-- 1 postgres postgres 4168 23. Jun 11:27 root.crt
> > -rw-r--r-- 1 postgres postgres 3377 23. Jun 11:24 root.csr
> > -rw------- 1 postgres postgres 1704 23. Jun 11:24 root.key
> > -rw-r--r-- 1 postgres postgres=C2=A0 =C2=A041 23. Jun 11:28 root.= srl
> > -rw-r--r-- 1 postgres postgres 4087 23. Jun 11:28 server.crt
> > -rw-r--r-- 1 postgres postgres 3391 23. Jun 11:28 server.csr
> > -rw------- 1 postgres postgres 1704 23. Jun 11:28 server.key
> >
> > In postgresql.conf the SSL section is now:
> >
> > # - SSL -
> > #
> > ssl =3D on
> > ssl_cert_file =3D '/home/postgres/canew/server.crt'
> > ssl_key_file =3D '/home/postgres/canew/server.key'
> >
> > and in pg_hba.conf the matching entry for the IP addr of my Mac i= s:
> >
> > hostssl=C2=A0 =C2=A0 all=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0all=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A010.49.210.27/32<= br> > >=C2=A0 password
> > host=C2=A0 =C2=A0 =C2=A0 =C2=A0all=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0all=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A010.49.210.= 27/32
> >=C2=A0 password
> >
> > With the line for 'host' the connect with the psql falls = back to non-SSL.
> >
> > $ psql -Usisis
> > Password for user sisis:
> > psql (14.15 (Homebrew), server 15.1)
> > Type "help" for help.
> >
> > sisis=3D#
> >
> > When I have only the 'hostssl' line for the IP addr 10.49= .210.27 it says
> >
> > psql -Usisis
> > psql: error: connection to server at "srap48dxr1.dev.xx= xx.org"
> > (10.23.33.57), port 2345 failed: SSL SYSCALL error: EOF detected<= br> > > connection to server at "srap48dxr1.dev.xxxx.org&qu= ot; (10.23.33.57), port
> > 2345 failed: FATAL:=C2=A0 no pg_hba.conf entry for host "10.= 49.210.27", user
> > "sisis", database "sisis", no encryption
> >
> > How could I enable more logging about the SSL session problem? > > Thanks
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0matthias
> >
> >
> > El d=C3=ADa lunes, junio 22, 2026 a las 07:56:39 +0200, Matthias = Apitz escribi=C3=B3:
> >
> > >
> > >
> > > Hello,
> > >
> > >
> > > I've enabled SSL in the connection to the PostgreSQL ser= ver (16.5).
> > > All details see below. The SSL connection works fine from a = remote
> > > host, for example from my MacBook, but does not work on the = host
> > > itself via interface 'lo' where it gives the error m= essage:
> > >
> > >=C2=A0 =C2=A0 =C2=A0FATAL:=C2=A0 no PostgreSQL user name spec= ified in startup packet
> > >=C2=A0 =C2=A0 =C2=A0connection to server at "srap48= dxr1.dev.xxxx.org" (10.23.33.57),
> > port 5432 failed: FATAL:=C2=A0 no PostgreSQL user name specified = in startup
> > packet
> > >
> > > and psql crashes. Interesting observation with tcpdump is, s= tat the
> > > above error message is sent in clear over the network.
> > >
> > > The same picture is with all C- or Java-written software usi= ng an ESQL/C
> > > or JDBC interface.
> > >
> > > Any idea on this?
> > >
> > > Here are the details
> > >
> > >
> > > # su - postgres
> > > $ mkdir ca
> > > $ cd ca
> > > $ export LD_LIBRARY_PATH=3D/usr/local/sisis-pap/lib
> > > $ export OPENSSL=3D/usr/local/sisis-pap/bin/openssl
> > > $ $OPENSSL version=C2=A0 # just for testing
> > > export OPENSSL_CONFIG=3D'-config /usr/local/sisis-pap/op= enssl.cnf'
> > > $ /usr/local/sisis-pap/misc/CA.pl -newca
> > > ...
> > > $ /usr/local/sisis-pap/misc/CA.pl -newreq
> > > ...
> > > $ ls -l newreq.pem newkey.pem
> > > -rw------- 1 postgres postgres 1886 16. Jun 12:40 newkey.pem=
> > > -rw-r--r-- 1 postgres postgres 1090 16. Jun 12:42 newreq.pem=
> > > $ /usr/local/sisis-pap/misc/CA.pl -sign
> > > ...
> > >
> > > $ mv newcert.pem pg-server.crt
> > > $ mv newkey.pem pg-server.key
> > >
> > > we must remove the passphrase from the key for PostgreSQL to= be able to
> > read
> > > and start the PostgreSQL server without user interaction: > > >
> > > $ $OPENSSL rsa -in pg-server.key -out pg-passless-server.key=
> > > Enter pass phrase for pg-server.key:
> > > writing RSA key
> > >
> > > Enabling SSL in postgresql.conf:
> > >
> > > $ vim /data/postgresql165/data/postgresql.conf
> > >
> > > # - SSL -
> > >
> > > ssl =3D on
> > > ssl_cert_file =3D '/home/postgres/ca/pg-server.crt'<= br> > > > ssl_key_file =3D '/home/postgres/ca/pg-passless-server.k= ey'
> > > ssl_ca_file =3D '/home/postgres/ca/demoCA/cacert.pem'= ;
> > >
> > > $ vim /data/postgresql165/data/pg_hba.conf
> > > changed 'host' to 'hostssl' for the relevant= lines
> > >
> > > Start of the server:
> > >
> > > # /etc/init.d/postgres165 start
> > >
> > > Connect from my MacBook to the remote host srap48dxr1.d= ev.xxxx.org:
> > >
> > > $ export PGHOST=3Dsrap48dxr1.dev.xxxx.org
> > > $ export PGPORT=3D5432
> > >
> > > $ psql -Usisis sisis
> > > Password for user sisis:
> > > psql (14.15 (Homebrew), server 16.5)
> > > SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_S= HA384, bits:
> > 256, compression: off)
> > > Type "help" for help.
> > >
> > > sisis=3D>
> > >
> > >
> > > Connect on the host itself:
> > >
> > > $ export PGHOST=3Dsrap48dxr1.dev.xxxx.org
> > > $ export PGPORT=3D5432
> > >
> > > $ /usr/local/sisis-pap/pgsql-16.5/bin/psql -Usisis
> > > psql: Fehler: connection to server at "srap48dxr1.= dev.xxxx.org"
> > (10.23.33.57), port 5432 failed: FATAL:=C2=A0 no PostgreSQL user = name specified
> > in startup packet
> > > connection to server at "srap48dxr1.dev.xxxx.org" (10.23.33.57), port
> > 5432 failed: FATAL:=C2=A0 no PostgreSQL user name specified in st= artup packet
> > > free(): invalid pointer
> > > Abgebrochen (Speicherabzug geschrieben)
> > >
> > > $ ldd /usr/local/sisis-pap/pgsql-16.5/bin/psql | egrep '= libssl|crypto'
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0libssl.so.3 =3D> /usr/local/sis= is-pap/lib/libssl.so.3
> > (0x00007f9ea38cb000)
> > >=C2=A0 =C2=A0 =C2=A0 =C2=A0libcrypto.so.3 =3D> /usr/local/= sisis-pap/lib/libcrypto.so.3
> > (0x00007f9ea3000000)
> > >
> > > --
> > > Matthias Apitz, =E2=9C=89
guru@unixarea.de, http://www.unixarea.de/
> > +49-176-38902045
> > > Public GnuPG key: http://www.unixarea.de/key.pub > > >
> > >
> >
> > --
> > Matthias Apitz, =E2=9C=89 guru@unixarea.de, http://www.unixarea.de/
> > +49-176-38902045
> > Public GnuPG key: http://www.unixarea.de/key.pub
> >
> >
> >

--
Matthias Apitz, =E2=9C=89 guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
--000000000000c9be200654ead95c--