Re: buildfarm server suddenly not talking to old SSL stacks? - Mailing list pgsql-www

On 2018-Jul-16, Tom Lane wrote:

> My buildfarm animals dromedary and prairiedog have been failing since
> around 9AM EDT on Sunday.  The buildfarm script output isn't very
> detailed:
> 
> getting branches of interest (https://buildfarm.postgresql.org/branches_of_inte\
> rest.txt) at ./run_branches.pl line 129.
> 
> but trying it manually yields
> 
> $ curl https://buildfarm.postgresql.org/branches_of_interest.txt
> curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
> 
> The same thing works fine on newer machines though, as does fetching with
> http: instead of https:.  Have we done something recently to create an
> incompatibility with old SSL stacks?

Yeah, there were a few updates that day at 11am UTC; particularly the
ca-certificates package was updated (to version 20161130+nmu1+deb9u1).
I don't know why this would be significant (is the server trying to
verify the client's cert?), but here's the changelog:

ca-certificates (20161130+nmu1+deb9u1) stretch; urgency=medium

  * debian/ca-certificates.postinst:
    Prevent postinst failure on read-only /usr/local. Closes: #843722
  * debian/control:
    Remove Christian Perrier from uploaders at his request. Closes: #894070
  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.22.
    Closes: #858064
    The following certificate authorities were added (+):
    + "AC RAIZ FNMT-RCM"
    + "Amazon Root CA 1"
    + "Amazon Root CA 2"
    + "Amazon Root CA 3"
    + "Amazon Root CA 4"
    + "D-TRUST Root CA 3 2013"
    + "GDCA TrustAUTH R5 ROOT"
    + "LuxTrust Global Root 2"
    + "SSL.com EV Root Certification Authority ECC"
    + "SSL.com EV Root Certification Authority RSA R2"
    + "SSL.com Root Certification Authority ECC"
    + "SSL.com Root Certification Authority RSA"
    + "Symantec Class 1 Public Primary Certification Authority - G4"
    + "Symantec Class 1 Public Primary Certification Authority - G6"
    + "Symantec Class 2 Public Primary Certification Authority - G4"
    + "Symantec Class 2 Public Primary Certification Authority - G6"
    + "TrustCor ECA-1"
    + "TrustCor RootCert CA-1"
    + "TrustCor RootCert CA-2"
    + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
    The following certificate authorities were removed (-):
    - "ACEDICOM Root"
    - "AddTrust Public Services Root"
    - "AddTrust Qualified Certificates Root"
    - "ApplicationCA - Japanese Government"
    - "Buypass Class 2 CA 1"
    - "CA Disig Root R1"
    - "Certinomis - Autorité Racine"
    - "China Internet Network Information Center EV Certificates Root"
    - "CNNIC ROOT"
    - "Comodo Secure Services root"
    - "Comodo Trusted Services root"
    - "DST ACES CA X6"
    - "EBG Elektronik Sertifika Hizmet Saglayicisi"
    - "Equifax Secure CA"
    - "Equifax Secure eBusiness CA 1"
    - "Equifax Secure Global eBusiness CA"
    - "GeoTrust Global CA 2"
    - "IGC/A"
    - "Juur-SK"
    - "Microsec e-Szigno Root CA"
    - "PSCProcert"
    - "Root CA Generalitat Valenciana"
    - "RSA Security 2048 v3"
    - "Security Communication EV RootCA1"
    - "S-TRUST Authentication and Encryption Root CA 2005 PN"
    - "Swisscom Root CA 1"
    - "Swisscom Root EV CA 2"
    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
    - "TURKTRUST Certificate Services Provider Root 2007"
    - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
    - "UTN USERFirst Hardware Root CA"
    - "Verisign Class 1 Public Primary Certification Authority"
    - "Verisign Class 2 Public Primary Certification Authority - G2"
    - "Verisign Class 3 Public Primary Certification Authority"
    - "WellsSecure Public Root Certificate Authority"

 -- Michael Shuler <michael@pbandjelly.org>  Sat, 07 Jul 2018 01:08:40 +0200


-- 
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services