Re: ssl connection issues - Mailing list pgsql-jdbc
From | Gabriele Bulfon |
---|---|
Subject | Re: ssl connection issues |
Date | |
Msg-id | 1954323705.1855.1537278167094@www Whole thread Raw |
In response to | Re: ssl connection issues (Dave Cramer <pg@fastcrypt.com>) |
Responses |
Re: ssl connection issues
|
List | pgsql-jdbc |
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
Postgres logs "could not accept SSL connection: ccs received early"
The Java code throws the exception:
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues
On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
pgsql-jdbc by date: