Connecting to PostgreSQL with SSL using OpenSSL s_client
Solution 1:
You didn't specify why you wanted to use s_client.
If it is to interact with the database, any decent client will do. psql
can be called with the sslmode=require
option. See man psql
.
If it is to check the SSL certificate (which is why I came across your question), it still doesn't work with s_client as Magnus pointed out 7 years ago. you can now do it with openssl s_client
if you have a version >= 1.1.1, as pointed out in the answer of Adam Batkin. Use openssl version
to check, or just directly try this command to see if it works.
echo "" | openssl s_client -starttls postgres -connect EXAMPLE.COM:5432 -showcerts
If you have an older version which doesn't support postgres, this python script can also retrieve the SSL certificate: https://github.com/thusoy/postgres-mitm/blob/master/postgres_get_server_cert.py
For example to check certificate dates:
postgres_get_server_cert.py example.com:5432 | openssl x509 -noout -dates
Solution 2:
You cannot use s_client. PostgreSQL does protocol negotiation before SSL is started (to figure out if it should do SSL or not, since they both run on the same port). You need to use a proper PostgreSQL client (such as psql or pgadmin, for example), not s_client.
Solution 3:
It looks like OpenSSL's s_client
tool added Postgres support using the -starttls
in 1.1.1, so you can now use the full power of OpenSSL's command line tools without additional helper scripts:
> openssl s_client -starttls postgres -connect my.postgres.host:5432 # etc...
References:
- Git commit
- s_client manpage