When no SSL configs applied :
pg_hba.conf host database user 0.0.0.0/0 scram-sha-256
postgresql.conf
listen_addresses = ‘*’
port = 5432
ssl = on
ssl_cert_file = ‘/etc/ssl/certs/ssl-cert-snakeoil.pem’
ssl_key_file = ‘/wtc/ssl/private/ssl-cert-snakeoil.key’
I get : netstat -nltp
smadmin@studymatepro:~$ sudo netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 970/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1405/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1079/cupsd
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 3780/postgres
tcp6 0 0 :::22 :::* LISTEN 1405/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1079/cupsd
tcp6 0 0 :::5432 :::* LISTEN 3780/postgres
smadmin@studymatepro:~$
you can see the remote tcp/ip on port 5432 ; and can get SSL connection (server side authentication only)
Now , when I configure SSL , and add client.crt,client.key & root.crt to the client machine :
pg_hba.conf
hostssl database user 0.0.0.0/0 scram-sha-256 clientcert=1
postgresql.conf
listen_addresses = ‘*’
port = 5432
ssl = on
ssl_cert_file = ‘/etc/ssl/certs/server.crt’ // my self signed crt
ssl_key_file = ‘/etc/ssl/private/server.key’
ssl_ca_file = ‘/etc/ssl/certs/rootCert.crt’
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'prime256v1'
password_encryption = scram-sha-256
and do : netstat -nltp ; I get
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 970/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1405/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1079/cupsd
tcp6 0 0 :::22 :::* LISTEN 1405/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1079/cupsd
The remote TCP/IP on port 5432 gone !!! and thats why I’m getting the connection refused since remote port 5432 are no longer active . The question is why this happined ...I’m I doing some wrong ?
