Connecting to PostgreSQL with SSL using OpenSSL s_client

Solution 1:

You didn't specify why you wanted to use s_client.

If it is to interact with the database, any decent client will do. psql can be called with the sslmode=require option. See man psql.

If it is to check the SSL certificate (which is why I came across your question), it still doesn't work with s_client as Magnus pointed out 7 years ago. you can now do it with openssl s_client if you have a version >= 1.1.1, as pointed out in the answer of Adam Batkin. Use openssl version to check, or just directly try this command to see if it works.

echo "" | openssl s_client -starttls postgres -connect EXAMPLE.COM:5432 -showcerts

If you have an older version which doesn't support postgres, this python script can also retrieve the SSL certificate: https://github.com/thusoy/postgres-mitm/blob/master/postgres_get_server_cert.py

For example to check certificate dates:

postgres_get_server_cert.py example.com:5432 | openssl x509 -noout -dates

Solution 2:

You cannot use s_client. PostgreSQL does protocol negotiation before SSL is started (to figure out if it should do SSL or not, since they both run on the same port). You need to use a proper PostgreSQL client (such as psql or pgadmin, for example), not s_client.

Solution 3:

It looks like OpenSSL's s_client tool added Postgres support using the -starttls in 1.1.1, so you can now use the full power of OpenSSL's command line tools without additional helper scripts:

> openssl s_client -starttls postgres -connect my.postgres.host:5432 # etc...

References:

  • Git commit
  • s_client manpage