niedziela, 15 listopada 2009

Pgpool-II 2.3 comming soon...

Today Tatsuo Ishii wrote interesting news at pgpool mailing list, version 2.3 coming this month.

What's new in 2.3:


- Adopt PostgreSQL 8.4 parser. On of the visible effects of this is,
WITH clause can be load balanced.

- Allow to use INSERT/UPDATE including CURRENT_TIME_STAMP,
CURRENT_DATE, now(). pgpool-II guarantees that each DB node will be
populated exactly same value for these data type. For example
consider following table:

CREATE TABLE t1(id INTEGER PRIMARY KEY, regdate TIMESTAMP DEFAULT CURRENT_TIMESTAMP);

Let's populate t1:

INSERT INTO t1(id) VALUES(1);

Actual query executed by pgpool-II is:

INSERT INTO "t1"("id", "regdate") VALUES (1,'2009-11-15 21:35:01.783053+09');

'2009-11-15 21:35:01.783053+09' is extraced from PostgreSQL by
executing SELECT CURRENT_TIMESTAP. So t1 tables on all DB nodes has
exactly same value.

- Add new directive log_per_node_statement. If true, print all
statements to the log. Similar to log_statement except that prints
DB node id and backend process id info. Example:

2009-11-15 21:34:12 LOG: pid 22285: DB node id: 0 backend pid: 22301 statement: CREATE TABLE t1(id INTEGER PRIMARY KEY, regdate TIMESTAMP DEFAULT CURRENT_TIMESTAMP);
2009-11-15 21:34:12 LOG: pid 22285: DB node id: 1 backend pid: 22300 statement: CREATE TABLE t1(id INTEGER PRIMARY KEY, regdate TIMESTAMP DEFAULT CURRENT_TIMESTAMP);

piątek, 13 listopada 2009

Google Checkout over stunnel

Recently run HTTPS connection to website over stunnel + haproxy (not really important atm why such exotic idea). More important that hole operation goes smooth, quick and easy. Everything work until today when I read email from one of developers in over company.
He got problem with Google Checkout:


We encountered an error trying to access your server at https://some.website.at.web/GoogleCheckout/response --
the error we got is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake


First I check connection with browser but everything looks ok as it should be. Start digg but google didn't help me alot. So I check Google Checkout documentation and find such thing:


There are also a number of measures you can take to keep your
communications with Google Checkout secure:

* Never share your Merchant Key with anyone.

* Sign your shopping cart XML using HMAC SHA1 and your Merchant Key.
Signing your shopping cart authenticates the cart you send and
verifies that your cart hasn't been tampered with during transmission.

* Send order processing commands over a secure HTTPS connection.
When sending order processing commands to Google, use an HTTPS connection
secured by 128-bit SSL v3 or TLS connection (SSL v2 is not allowed).
Use your Merchant ID and Merchant Key as the username and password for
HTTP Basic Authentication.

* Verify the authenticity of the server certificate presented to you.

* Specify an HTTPS callback URL secured by SSL v3 or TLS using a valid
certificate from a major Certifying Authority to receive Google notifications.
Only accept messages authenticated by HTTP Basic Authentication, using
your Merchant ID and Merchant Key as the username and password.
Take a look at our list of accepted SSL certificates.

* Validate messages sent to your callback URL before processing them.


Link

Looks still ok - SSL v3 or TLS . I recheck and SSL v3 is working. But Google Checkout doesn't like it.

Solution:

Change (/etc/stunnel/stunnel.conf)

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

to:

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all


Because "SSLv3 or TLS" mean "SSLv3 and TLS" for google.