Postgres Pro
Downloads
Home   >   mailing lists

Re: buildfarm server suddenly not talking to old SSL stacks? - Mailing list pgsql-www

From Magnus Hagander
Subject Re: buildfarm server suddenly not talking to old SSL stacks?
Date
Msg-id CABUevEwJ7QT53Yxe6Q=SH05iTJ_Cv=4Twg5yPWpDs_wUxUM2VQ@mail.gmail.com
Whole thread Raw
In response to Re: buildfarm server suddenly not talking to old SSL stacks?  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: buildfarm server suddenly not talking to old SSL stacks?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-www
Tree view


On Tue, Jul 17, 2018 at 7:29 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Magnus Hagander <magnus@hagander.net> writes:
> On Tue, Jul 17, 2018 at 7:04 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Also, on prairiedog's host, this is what I get for the https case:
>>
>> $ perl -MLWP::Simple -MLWP::Protocol::https -e 'LWP::Simple::getprint("
>> https://buildfarm.postgresql.org/branches_of_interest.txt");'
>> 500 Can't connect to buildfarm.postgresql.org:443 <URL:https://buildfarm.
>> postgresql.org/branches_of_interest.txt>
>>
>> which isn't terribly informative but it doesn't look like an SSL
>> certificate failure.

> That one I believe more in since it could be because of SSL issues. What do
> you get with curl on that one?

Both machines show the same behavior with curl:

$ curl https://buildfarm.postgresql.org/branches_of_interest.txt
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

Ah. Some googling shows that does seem to indicate an old version of OpenSSL.

The old config rejected sslv2 and sslv3, but allowed tlsv1.

The new one refuses both tlsv1 and tlsv1.1, allowing only tlsv1.2.

As a check if this might be it, I have at least temporarily removed that restriction. Can you try again now?

 
$ curl http://buildfarm.postgresql.org/branches_of_interest.txt
REL9_3_STABLE
REL9_4_STABLE
REL9_5_STABLE
REL9_6_STABLE
REL_10_STABLE
REL_11_STABLE
HEAD

Now, curl is the OS-supplied one and probably isn't sharing any userspace
infrastructure at all with prairiedog's Perl stack.  On the other hand,
dromedary is using Apple's perl installation so it's possible that it
shares root-certificate infrastructure with curl.

 

--

pgsql-www by date:

Previous
From: Tom Lane
Date:
Subject: Re: buildfarm server suddenly not talking to old SSL stacks?
Next
From: Tom Lane
Date:
Subject: Re: buildfarm server suddenly not talking to old SSL stacks?