Re: ssl connection issues - Mailing list pgsql-jdbc

From Gabriele Bulfon
Subject Re: ssl connection issues
Date
Msg-id 441859077.1912.1537279378378@www
Whole thread Raw
In response to Re: ssl connection issues  (Dave Cramer <pg@fastcrypt.com>)
Responses Re: ssl connection issues
List pgsql-jdbc
I used easy-rsa, same tools I use for OpenVPN.
Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:
 
. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
 
copied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.
 
Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.
They all works great on both Navicat and ODBC.
 
Gabriele





Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issues


Hi Gabriele,
 
Can you share your entire setup? How you are creating the certs, etc ?
 

On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon@sonicle.com> wrote:
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
 
Postgres logs "could not accept SSL connection: ccs received early"
 
The Java code throws the exception:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 






Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues



 

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
 
 
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
 

pgsql-jdbc by date:

Previous
From: Dave Cramer
Date:
Subject: Re: ssl connection issues
Next
From: Dave Cramer
Date:
Subject: Re: ssl connection issues