Thread: [7.3] can't connect with SSL
I just upgraded my server from 7.2.1 to 7.3 last night, and can no longer
connect over SSL (unencrypted connections still work ok, but I really need
SSL). I get the following error messages when I try to connect:
psql (PostgreSQL client) 7.2.1
psql: could not establish SSL connection: No SSL error reported
serverlog:
FATAL: failed to initialize SSL connection: wrong version number
I have the same version of openssl on both the client and server
machines. Both are running Debian 3.0, with these libs:
- libssl-dev 0.9.6c-2.woody SSL development libraries, header files
- libssl0.9.6 0.9.6c-2.woody SSL shared libraries
- openssl 0.9.6c-2.woody Secure Socket Layer (SSL) binary and related
My server configuration is like so (everything else is default):
pg_hba.conf:
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all crypt
hostssl all all 0.0.0.0 0.0.0.0 md5
postgresql.conf:
tcpip_socket = true
ssl = true
It was of course also configured for use with SSL:
/configure --with-perl --with-openssl=/usr/include/openssl
checking for SSL_library_init in -lssl... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking openssl/err.h usability... yes
checking openssl/err.h presence... yes
checking for openssl/err.h... yes
Now it sounds to me like this is an SSL handshake problem, but I don't
see why, because I have exactly the same version of openssl on both the
client and server machines. On my client machine, I still have v7.2.1
of 'psql' (the client binary) as that's what came bundled with my
operating system. I'm fairly certain that's not what's causing the
problem though (or is it?)
We did overhaul the SSL code for 7.3, and I was able to get it working using OpenSSL 0.9.6e 30 Jul 2002. Have you read the new SSL documentation in 7.3? --------------------------------------------------------------------------- valerian wrote: > I just upgraded my server from 7.2.1 to 7.3 last night, and can no longer > connect over SSL (unencrypted connections still work ok, but I really need > SSL). I get the following error messages when I try to connect: > > psql (PostgreSQL client) 7.2.1 > psql: could not establish SSL connection: No SSL error reported > > serverlog: > FATAL: failed to initialize SSL connection: wrong version number > > I have the same version of openssl on both the client and server > machines. Both are running Debian 3.0, with these libs: > - libssl-dev 0.9.6c-2.woody SSL development libraries, header files > - libssl0.9.6 0.9.6c-2.woody SSL shared libraries > - openssl 0.9.6c-2.woody Secure Socket Layer (SSL) binary and related > > My server configuration is like so (everything else is default): > > pg_hba.conf: > # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD > local all all crypt > hostssl all all 0.0.0.0 0.0.0.0 md5 > > postgresql.conf: > tcpip_socket = true > ssl = true > > It was of course also configured for use with SSL: > /configure --with-perl --with-openssl=/usr/include/openssl > checking for SSL_library_init in -lssl... yes > checking openssl/ssl.h usability... yes > checking openssl/ssl.h presence... yes > checking for openssl/ssl.h... yes > checking openssl/err.h usability... yes > checking openssl/err.h presence... yes > checking for openssl/err.h... yes > > Now it sounds to me like this is an SSL handshake problem, but I don't > see why, because I have exactly the same version of openssl on both the > client and server machines. On my client machine, I still have v7.2.1 > of 'psql' (the client binary) as that's what came bundled with my > operating system. I'm fairly certain that's not what's causing the > problem though (or is it?) > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
On Fri, Dec 06, 2002 at 12:44:13PM -0500, Bruce Momjian wrote: > > We did overhaul the SSL code for 7.3, and I was able to get it working > using OpenSSL 0.9.6e 30 Jul 2002. Have you read the new SSL > documentation in 7.3? Ah, so I must be using an outdated openssl then. I had read the INSTALL file before compiling v7.3, but it didn't mention anything beyond making sure you have a full openssl installation (with headers and all that). I checked the new docs, but the SSL section doesn't say much beyond how to create certificates and setup your pg_hba.conf. The SSH tunnel idea works fine though. Guess I'll run with that for now. It's not as nice as having 'hostssl' as the only remote connection option (since it doesn't enforce encryption), but oh well.
valerian wrote: > On Fri, Dec 06, 2002 at 12:44:13PM -0500, Bruce Momjian wrote: > > > > We did overhaul the SSL code for 7.3, and I was able to get it working > > using OpenSSL 0.9.6e 30 Jul 2002. Have you read the new SSL > > documentation in 7.3? > > Ah, so I must be using an outdated openssl then. I had read the INSTALL > file before compiling v7.3, but it didn't mention anything beyond making > sure you have a full openssl installation (with headers and all that). We didn't know what OpenSSL releases it supported. > I checked the new docs, but the SSL section doesn't say much beyond how > to create certificates and setup your pg_hba.conf. The SSH tunnel idea Yep, that was all we have. > works fine though. Guess I'll run with that for now. It's not as nice > as having 'hostssl' as the only remote connection option (since it > doesn't enforce encryption), but oh well. I had hostssl working here on BSD/OS. One issue we had was that he went with TLS encryption, which he said was fairly new but is the best one to use. I got it working here so I figured it was OK. It would be interesting to know if a newer version fixes it for you. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
> valerian wrote:
>> Ah, so I must be using an outdated openssl then.
An update would be a good idea in any case. IIRC, there are known
security loopholes in all openssl releases up to very recent times.
I'm using 0.9.6g here; I am pretty sure 0.9.6c is vulnerable,
not sure about 0.9.6e. See www.openssl.org for details.
regards, tom lane
On Fri, Dec 06, 2002 at 02:07:13PM -0500, Bruce Momjian wrote: > I had hostssl working here on BSD/OS. One issue we had was that he went > with TLS encryption, which he said was fairly new but is the best one to > use. I got it working here so I figured it was OK. It would be > interesting to know if a newer version fixes it for you. I have a feeling that'll fix the problem, but alas I don't have time to compile/install a more recent version of openssl at the moment (pretty swamped now, been working 16 hour days). But I'm pretty curious about this myself, so I'll let ya'll know how it turns out.
On Fri, Dec 06, 2002 at 03:39:36PM -0500, Tom Lane wrote: > An update would be a good idea in any case. IIRC, there are known > security loopholes in all openssl releases up to very recent times. > I'm using 0.9.6g here; I am pretty sure 0.9.6c is vulnerable, > not sure about 0.9.6e. See www.openssl.org for details. Actually it's quite safe, because it's from a Debian package and they often back-port serious/security-related bug fixes. Weird, I know, but they don't like to add untested software to their 'stable' branch if at all possible. They prefer applying the patches themselves.