Thread: ssl connection issues
Hello,
I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.
I then created the client certificates and started working with them from a windows client.
At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.
Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.
Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).
I created the pk8 file on the server from the original key used for odbc, with the command:
# openssl pkcs8 -topk8 -in client.key -out client.pk8 -outform DER -nocrypt
placed the pk8 file in %APPDATA%/postgresql and launched my test java connection:
Connection con=DriverManager.getConnection("jdbc:postgresql://myhost:5432/mydb?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=require","user","pass");
And now I get this:
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: decrypt_error
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
Tried both with jdk1.7 and jdk1.8 and openjdk1.8.
Any idea?
Gabriele
Gabriele
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
>Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
Which pgjdbc version are you using?
>it would look for a pk8 file (why this difference?).
I've no idea.
Vladimir
Which pgjdbc version are you using?
>it would look for a pk8 file (why this difference?).
I've no idea.
>sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory
It is a default, so you might omit that
>ssl=true&sslmode=require
It is a bit misleading, and I would recommend to stick to sslmode. ssl=
>Received fatal alert: decrypt_error
It does look like Java side does not support the cipher.
It does look like Java side does not support the cipher.
What was the way to create the server certificate?
Could you please list the output of
openssl x509 -in server.crt -text
?
Vladimir
On Thu, 13 Sep 2018 at 09:34, Vladimir Sitnikov <sitnikov.vladimir@gmail.com> wrote:
>Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
Which pgjdbc version are you using?
>it would look for a pk8 file (why this difference?).
I've no idea.
As far as I know Java requires a pk8 file
>sslfactory=org.postgresql.ssl.jdbc4.LibPQFactoryIt is a default, so you might omit that>ssl=true&sslmode=requireIt is a bit misleading, and I would recommend to stick to sslmode. ssl=>Received fatal alert: decrypt_error
It does look like Java side does not support the cipher.What was the way to create the server certificate?Could you please list the output ofopenssl x509 -in server.crt -text?
Vladimir
On 13 September 2018 at 20:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:
Hello,I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.I then created the client certificates and started working with them from a windows client.At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).
AFAIK it's largely historical, and due to now-lifted limitations in JSSE.
You should probably use sslfactory=org.postgresql.ssl.LibPQFactory and possibly specify explicit paths for the sslcert and sslkey parameters.
This seems to be undocumented, unfortunately.
Hi,
sorry I'm answering to my own original sent email, because for some unwanted filter I lost the thread emails from the list in my inbox...
Vladimir, here is the output from openssl:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=www.company.it/emailAddress=email@company.it
Validity
Not Before: Sep 11 07:40:57 2018 GMT
Not After : Sep 8 07:40:57 2028 GMT
Subject: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=server.name.com/emailAddress=email@company.it
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:1e:60:44:76:63:dc:9c:49:c3:d0:69:81:ac:
81:2a:19:28:01:70:9c:c9:d5:0b:22:b9:4c:78:75:
a9:d5:80:18:96:ad:cd:94:cd:cd:a4:36:0f:a6:06:
0f:c7:41:2f:66:43:49:08:53:ff:54:be:ad:bc:02:
76:eb:66:94:40:fa:4e:65:44:37:69:6d:43:62:9a:
5e:8a:46:30:d8:55:af:aa:27:bb:b8:e0:c3:ed:75:
2f:92:11:69:e5:24:c3:e8:d5:a4:92:52:22:b0:8e:
93:0d:57:95:25:e6:c0:c4:42:f8:36:67:fe:bb:d8:
22:51:f4:b3:e9:e8:dc:34:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
B7:82:BB:04:2C:66:7E:78:72:D8:DD:2A:CB:84:A7:A9:8B:52:EB:5B
X509v3 Authority Key Identifier:
keyid:BC:ED:8A:2A:3A:D7:F9:B0:97:9C:18:9A:F5:01:D1:83:EB:32:C2:89
DirName:/C=IT/ST=MI/L=Assago/O=Company S.p.A./CN=www.company.it/emailAddress=email@company.it
serial:87:84:72:38:BB:2F:30:A2
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
52:ae:b0:1f:6a:e8:ab:f3:ca:a5:bf:2e:96:75:a6:4a:a7:c1:
32:d0:c6:53:d2:c8:36:d1:00:f6:56:b5:d8:99:65:b0:3b:a1:
11:d6:63:d3:c5:60:5d:69:14:46:b3:10:a7:c5:f1:34:fe:c0:
b5:bc:90:72:c1:2b:ff:c8:e8:3d:54:d5:2a:0c:19:c3:f5:16:
ab:f2:cd:89:4e:eb:f6:b7:5a:36:43:c3:88:11:41:67:31:f8:
15:ad:45:19:50:0d:ec:fd:81:9b:03:47:f4:71:a0:f3:58:b6:
c8:a9:29:12:d9:a7:b3:00:77:d5:2c:7c:2e:de:10:fe:8f:52:
d4:c2
-----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCSVQx
CzAJBgNVBAgTAk1JMQ8wDQYDVQQHEwZBc3NhZ28xGDAWBgNVBAoTD0VuY29kYXRh
IFMucC5BLjEYMBYGA1UEAxMPd3d3LmVuY29kYXRhLml0MSIwIAYJKoZIhvcNAQkB
FhNlbmNkYXRhQGVuY29kYXRhLml0MB4XDTE4MDkxMTA3NDA1N1oXDTI4MDkwODA3
NDA1N1owgYcxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNz
YWdvMRgwFgYDVQQKEw9FbmNvZGF0YSBTLnAuQS4xHDAaBgNVBAMTE2lzY29ib2wu
c29uaWNsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2VuY2RhdGFAZW5jb2RhdGEuaXQw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJkeYER2Y9ycScPQaYGsgSoZKAFw
nMnVCyK5THh1qdWAGJatzZTNzaQ2D6YGD8dBL2ZDSQhT/1S+rbwCdutmlED6TmVE
N2ltQ2KaXopGMNhVr6onu7jgw+11L5IRaeUkw+jVpJJSIrCOkw1XlSXmwMRC+DZn
/rvYIlH0s+no3DTrAgMBAAGjggFUMIIBUDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIB
AQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZl
ciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUt4K7BCxmfnhy2N0qy4SnqYtS61swgbgG
A1UdIwSBsDCBrYAUvO2KKjrX+bCXnBia9QHRg+sywomhgYmkgYYwgYMxCzAJBgNV
BAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNzYWdvMRgwFgYDVQQKEw9F
bmNvZGF0YSBTLnAuQS4xGDAWBgNVBAMTD3d3dy5lbmNvZGF0YS5pdDEiMCAGCSqG
SIb3DQEJARYTZW5jZGF0YUBlbmNvZGF0YS5pdIIJAIeEcji7LzCiMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBSrrAf
auir88qlvy6WdaZKp8Ey0MZT0sg20QD2VrXYmWWwO6ER1mPTxWBdaRRGsxCnxfE0
/sC1vJBywSv/yOg9VNUqDBnD9Rar8s2JTuv2t1o2Q8OIEUFnMfgVrUUZUA3s/YGb
A0f0caDzWLbIqSkS2aezAHfVLHwu3hD+j1LUwg==
-----END CERTIFICATE-----
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=www.company.it/emailAddress=email@company.it
Validity
Not Before: Sep 11 07:40:57 2018 GMT
Not After : Sep 8 07:40:57 2028 GMT
Subject: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=server.name.com/emailAddress=email@company.it
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:1e:60:44:76:63:dc:9c:49:c3:d0:69:81:ac:
81:2a:19:28:01:70:9c:c9:d5:0b:22:b9:4c:78:75:
a9:d5:80:18:96:ad:cd:94:cd:cd:a4:36:0f:a6:06:
0f:c7:41:2f:66:43:49:08:53:ff:54:be:ad:bc:02:
76:eb:66:94:40:fa:4e:65:44:37:69:6d:43:62:9a:
5e:8a:46:30:d8:55:af:aa:27:bb:b8:e0:c3:ed:75:
2f:92:11:69:e5:24:c3:e8:d5:a4:92:52:22:b0:8e:
93:0d:57:95:25:e6:c0:c4:42:f8:36:67:fe:bb:d8:
22:51:f4:b3:e9:e8:dc:34:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
B7:82:BB:04:2C:66:7E:78:72:D8:DD:2A:CB:84:A7:A9:8B:52:EB:5B
X509v3 Authority Key Identifier:
keyid:BC:ED:8A:2A:3A:D7:F9:B0:97:9C:18:9A:F5:01:D1:83:EB:32:C2:89
DirName:/C=IT/ST=MI/L=Assago/O=Company S.p.A./CN=www.company.it/emailAddress=email@company.it
serial:87:84:72:38:BB:2F:30:A2
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
52:ae:b0:1f:6a:e8:ab:f3:ca:a5:bf:2e:96:75:a6:4a:a7:c1:
32:d0:c6:53:d2:c8:36:d1:00:f6:56:b5:d8:99:65:b0:3b:a1:
11:d6:63:d3:c5:60:5d:69:14:46:b3:10:a7:c5:f1:34:fe:c0:
b5:bc:90:72:c1:2b:ff:c8:e8:3d:54:d5:2a:0c:19:c3:f5:16:
ab:f2:cd:89:4e:eb:f6:b7:5a:36:43:c3:88:11:41:67:31:f8:
15:ad:45:19:50:0d:ec:fd:81:9b:03:47:f4:71:a0:f3:58:b6:
c8:a9:29:12:d9:a7:b3:00:77:d5:2c:7c:2e:de:10:fe:8f:52:
d4:c2
-----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCSVQx
CzAJBgNVBAgTAk1JMQ8wDQYDVQQHEwZBc3NhZ28xGDAWBgNVBAoTD0VuY29kYXRh
IFMucC5BLjEYMBYGA1UEAxMPd3d3LmVuY29kYXRhLml0MSIwIAYJKoZIhvcNAQkB
FhNlbmNkYXRhQGVuY29kYXRhLml0MB4XDTE4MDkxMTA3NDA1N1oXDTI4MDkwODA3
NDA1N1owgYcxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNz
YWdvMRgwFgYDVQQKEw9FbmNvZGF0YSBTLnAuQS4xHDAaBgNVBAMTE2lzY29ib2wu
c29uaWNsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2VuY2RhdGFAZW5jb2RhdGEuaXQw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJkeYER2Y9ycScPQaYGsgSoZKAFw
nMnVCyK5THh1qdWAGJatzZTNzaQ2D6YGD8dBL2ZDSQhT/1S+rbwCdutmlED6TmVE
N2ltQ2KaXopGMNhVr6onu7jgw+11L5IRaeUkw+jVpJJSIrCOkw1XlSXmwMRC+DZn
/rvYIlH0s+no3DTrAgMBAAGjggFUMIIBUDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIB
AQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZl
ciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUt4K7BCxmfnhy2N0qy4SnqYtS61swgbgG
A1UdIwSBsDCBrYAUvO2KKjrX+bCXnBia9QHRg+sywomhgYmkgYYwgYMxCzAJBgNV
BAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNzYWdvMRgwFgYDVQQKEw9F
bmNvZGF0YSBTLnAuQS4xGDAWBgNVBAMTD3d3dy5lbmNvZGF0YS5pdDEiMCAGCSqG
SIb3DQEJARYTZW5jZGF0YUBlbmNvZGF0YS5pdIIJAIeEcji7LzCiMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBSrrAf
auir88qlvy6WdaZKp8Ey0MZT0sg20QD2VrXYmWWwO6ER1mPTxWBdaRRGsxCnxfE0
/sC1vJBywSv/yOg9VNUqDBnD9Rar8s2JTuv2t1o2Q8OIEUFnMfgVrUUZUA3s/YGb
A0f0caDzWLbIqSkS2aezAHfVLHwu3hD+j1LUwg==
-----END CERTIFICATE-----
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Gabriele Bulfon <gbulfon@sonicle.com>
A: pgsql-jdbc@lists.postgresql.org
Data: 13 settembre 2018 14.23.45 CEST
Oggetto: ssl connection issues
Hello,I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.I then created the client certificates and started working with them from a windows client.At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).I created the pk8 file on the server from the original key used for odbc, with the command:# openssl pkcs8 -topk8 -in client.key -out client.pk8 -outform DER -nocryptplaced the pk8 file in %APPDATA%/postgresql and launched my test java connection:Connection con=DriverManager.getConnection("jdbc:postgresql://myhost:5432/mydb?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=require","user","pass");And now I get this:Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: decrypt_error
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 moreTried both with jdk1.7 and jdk1.8 and openjdk1.8.Any idea?
GabrieleSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
On Thu, 13 Sep 2018 at 11:10, Craig Ringer <craig@2ndquadrant.com> wrote:
On 13 September 2018 at 20:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:Hello,I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.I then created the client certificates and started working with them from a windows client.At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).AFAIK it's largely historical, and due to now-lifted limitations in JSSE.You should probably use sslfactory=org.postgresql.ssl.LibPQFactory and possibly specify explicit paths for the sslcert and sslkey parameters.This seems to be undocumented, unfortunately.
the default is LibPQFactory and it is fairly well documented.
If this is lacking please let me know. I will fix it.
On 14 September 2018 at 18:20, Dave Cramer <pg@fastcrypt.com> wrote:
On Thu, 13 Sep 2018 at 11:10, Craig Ringer <craig@2ndquadrant.com> wrote:On 13 September 2018 at 20:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:Hello,I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.I then created the client certificates and started working with them from a windows client.At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).AFAIK it's largely historical, and due to now-lifted limitations in JSSE.You should probably use sslfactory=org.postgresql.ssl.LibPQFactory and possibly specify explicit paths for the sslcert and sslkey parameters. This seems to be undocumented, unfortunately.the default is LibPQFactory and it is fairly well documented.
Nope, apparently the only problem is my reading ability. Sorry.
That does make me wonder why Gabriele is having this issue though.
On 2018-09-17 10:22, Craig Ringer wrote: > On 14 September 2018 at 18:20, Dave Cramer <pg@fastcrypt.com> wrote: > >> On Thu, 13 Sep 2018 at 11:10, Craig Ringer <craig@2ndquadrant.com> >> wrote: >> >> On 13 September 2018 at 20:23, Gabriele Bulfon <gbulfon@sonicle.com> >> wrote: >> >> Hello, >> >> I recently configured Postgresql 9.0.9 with SSL only "on" and all >> its needed server certificates. >> I then created the client certificates and started working with them >> from a windows client. >> >> At first I used them with tools like Navicat, just specified the 3 >> certs files (key,crt and root.crt) in the ssl pane, worked fine. >> >> Then I tried with ODBC, placed the files in %APPDATA%/postgresql >> with correct names (postgresql.key, postgresql.crt, root.crt), >> created the connection and tested it, worked fine. >> >> Last I tried with jdbc, thinking it would have been so easy: I'm >> fighting for 2 days with lots of different issues. >> After some messing, I also finally discovered that, different from >> odbc, it would look for a pk8 file (why this difference?). >> >> AFAIK it's largely historical, and due to now-lifted limitations in >> JSSE. >> >> You should probably use sslfactory=org.postgresql.ssl.LibPQFactory >> and possibly specify explicit paths for the sslcert and sslkey >> parameters. >> >> This seems to be undocumented, unfortunately. > > the default is LibPQFactory and it is fairly well documented. > > https://jdbc.postgresql.org/documentation/head/connect.html#connection-parameters > [1] > > Nope, apparently the only problem is my reading ability. Sorry. > > That does make me wonder why Gabriele is having this issue though. Given the age of PostgreSQL 9.0, could it be a SSL/TLS version problem, given all the default restrictions to supported SSL/TLS versions and supported cipher suites in recent Java version? Mark
That may be a possibility, but given that I cannot upgrade at the moment, how can I check this and maybe change the required cipher to match?
Gabriele
----------------------------------------------------------------------------------
Da: Mark Rotteveel <mark@lawinegevaar.nl>
A: Craig Ringer <craig@2ndquadrant.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 11.18.30 CEST
Oggetto: Re: ssl connection issues
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
----------------------------------------------------------------------------------
Da: Mark Rotteveel <mark@lawinegevaar.nl>
A: Craig Ringer <craig@2ndquadrant.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 11.18.30 CEST
Oggetto: Re: ssl connection issues
On 2018-09-17 10:22, Craig Ringer wrote:
> On 14 September 2018 at 18:20, Dave Cramer <pg@fastcrypt.com> wrote:
>
>> On Thu, 13 Sep 2018 at 11:10, Craig Ringer <craig@2ndquadrant.com>
>> wrote:
>>
>> On 13 September 2018 at 20:23, Gabriele Bulfon <gbulfon@sonicle.com>
>> wrote:
>>
>> Hello,
>>
>> I recently configured Postgresql 9.0.9 with SSL only "on" and all
>> its needed server certificates.
>> I then created the client certificates and started working with them
>> from a windows client.
>>
>> At first I used them with tools like Navicat, just specified the 3
>> certs files (key,crt and root.crt) in the ssl pane, worked fine.
>>
>> Then I tried with ODBC, placed the files in %APPDATA%/postgresql
>> with correct names (postgresql.key, postgresql.crt, root.crt),
>> created the connection and tested it, worked fine.
>>
>> Last I tried with jdbc, thinking it would have been so easy: I'm
>> fighting for 2 days with lots of different issues.
>> After some messing, I also finally discovered that, different from
>> odbc, it would look for a pk8 file (why this difference?).
>>
>> AFAIK it's largely historical, and due to now-lifted limitations in
>> JSSE.
>>
>> You should probably use sslfactory=org.postgresql.ssl.LibPQFactory
>> and possibly specify explicit paths for the sslcert and sslkey
>> parameters.
>>
>> This seems to be undocumented, unfortunately.
>
> the default is LibPQFactory and it is fairly well documented.
>
> https://jdbc.postgresql.org/documentation/head/connect.html#connection-parameters
> [1]
>
> Nope, apparently the only problem is my reading ability. Sorry.
>
> That does make me wonder why Gabriele is having this issue though.
Given the age of PostgreSQL 9.0, could it be a SSL/TLS version problem,
given all the default restrictions to supported SSL/TLS versions and
supported cipher suites in recent Java version?
Mark
On 2018-09-17 11:23, Gabriele Bulfon wrote: > That may be a possibility, but given that I cannot upgrade at the > moment, how can I check this and maybe change the required cipher to > match? Debugging SSL problems is not really something I do regularly, but you may want to see if changing the settings in the java.security policy helps. Settings to try are: jdk.tls.disabledAlgorithms jdk.certpath.disabledAlgorithms For reference: Java 8 Update 31, disabled SSLv3: http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html, Java 8 Update 51, disabled some cipher suites, and limitations for DH keys where added: http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html, similar for Java 8 Update 60: http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html Java 8 update 71 disabled MD5 hash validation of certificates Java 8 update 121 added restrictions on DSA keysize: http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html Java 8 Update 141 disabled SHA-1 hashes for the certificate chain: http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html Java 8 update 161 added limitations for DH keys, made some changes to certificate validation and disabled a number of cipher suites: http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html Java 8 update 171 disabled some ciphersuites: http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html Mark
Another avenue for debugging would be to get a free "real" certificate from https://letsencrypt.org/ and check if that works. That way you can see if it's something in your certificate creation process that causes trouble. //Alexander Kjäll On 17. sep. 2018 11:56, Mark Rotteveel wrote: > On 2018-09-17 11:23, Gabriele Bulfon wrote: >> That may be a possibility, but given that I cannot upgrade at the >> moment, how can I check this and maybe change the required cipher to >> match? > > Debugging SSL problems is not really something I do regularly, but you > may want to see if changing the settings in the java.security policy > helps. Settings to try are: > > jdk.tls.disabledAlgorithms > jdk.certpath.disabledAlgorithms > > For reference: > > Java 8 Update 31, disabled SSLv3: > http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html, > Java 8 Update 51, disabled some cipher suites, and limitations for DH > keys where added: > http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html, > similar for Java 8 Update 60: > http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html > Java 8 update 71 disabled MD5 hash validation of certificates > Java 8 update 121 added restrictions on DSA keysize: > http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html > Java 8 Update 141 disabled SHA-1 hashes for the certificate chain: > http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html > Java 8 update 161 added limitations for DH keys, made some changes to > certificate validation and disabled a number of cipher suites: > http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html > Java 8 update 171 disabled some ciphersuites: > http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html > > Mark >
On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
Postgres logs "could not accept SSL connection: ccs received early"
The Java code throws the exception:
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues
On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
Hi Gabriele,
Can you share your entire setup? How you are creating the certs, etc ?
On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon@sonicle.com> wrote:
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.The results are the same:Postgres logs "could not accept SSL connection: ccs received early"The Java code throws the exception:Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 moreSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issuesOn Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
I used easy-rsa, same tools I use for OpenVPN.
Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:
. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
./clean-all
./build-ca
./build-dh
./build-key-server server
copied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.
Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.
They all works great on both Navicat and ODBC.
Gabriele
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issues
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issues
Hi Gabriele,Can you share your entire setup? How you are creating the certs, etc ?On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon@sonicle.com> wrote:I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.The results are the same:Postgres logs "could not accept SSL connection: ccs received early"The Java code throws the exception:Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 moreSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issuesOn Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
The java client needs the server crt as well. Did you provide that to java ?
On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <gbulfon@sonicle.com> wrote:
I used easy-rsa, same tools I use for OpenVPN.Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server servercopied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.They all works great on both Navicat and ODBC.GabrieleSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issuesHi Gabriele,Can you share your entire setup? How you are creating the certs, etc ?On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon@sonicle.com> wrote:I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.The results are the same:Postgres logs "could not accept SSL connection: ccs received early"The Java code throws the exception:Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 moreSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issuesOn Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.
These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.
Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.
Is there any way to log more stuff on the server postgres.log about the ssl handshake?
Gabriele
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 16.06.14 CEST
Oggetto: Re: ssl connection issues
Sonicle S.r.l. : http://www.sonicle.com
Quantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 16.06.14 CEST
Oggetto: Re: ssl connection issues
The java client needs the server crt as well. Did you provide that to java ?On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <gbulfon@sonicle.com> wrote:I used easy-rsa, same tools I use for OpenVPN.Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server servercopied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.They all works great on both Navicat and ODBC.GabrieleSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issuesHi Gabriele,Can you share your entire setup? How you are creating the certs, etc ?On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon@sonicle.com> wrote:I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.The results are the same:Postgres logs "could not accept SSL connection: ccs received early"The Java code throws the exception:Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 moreSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issuesOn Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.Is there any way to log more stuff on the server postgres.log about the ssl handshake?
I'm sure there is but I don't know how. The server is not my domain.
Try connecting with psql. If you can connect with that then JDBC should be able to connect.
GabrieleSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 16.06.14 CEST
Oggetto: Re: ssl connection issuesThe java client needs the server crt as well. Did you provide that to java ?On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <gbulfon@sonicle.com> wrote:I used easy-rsa, same tools I use for OpenVPN.Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server servercopied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.They all works great on both Navicat and ODBC.GabrieleSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issuesHi Gabriele,Can you share your entire setup? How you are creating the certs, etc ?On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon@sonicle.com> wrote:I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.The results are the same:Postgres logs "could not accept SSL connection: ccs received early"The Java code throws the exception:Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 moreSonicle S.r.l. : http://www.sonicle.comQuantum Mechanics : http://www.cdbaby.com/cd/gabrielebulfon
Da: Dave Cramer <pg@fastcrypt.com>
A: Alexander Kjäll <alexander.kjall@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issuesOn Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander.kjall@gmail.com> wrote:Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
On 18.09.2018 18:27, Dave Cramer wrote:
Hi to all,On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.Is there any way to log more stuff on the server postgres.log about the ssl handshake?I'm sure there is but I don't know how. The server is not my domain.Try connecting with psql. If you can connect with that then JDBC should be able to connect.
IMO it will be better to inspect the SSL/TLS handshake at the client - the machine that is initiating the connection to the PostgreSQL server through the JDBC driver.
Here are some links with the basic stuff about debugging the SSL/TLS connections with the JVM:
- https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https - this is an introduction document. It points to the following two pages. The first is describing what debug tools are available and the second shows how to read the debug output:
- https://access.redhat.com/solutions/973783 - same as the above but in Q&A style
Best regards,
zloster
Thanks, I tried enabling all the client debug infos, but didn't get much from them.
I will try to create certs from scratch, using the openssl tool instead of easy-rsa, and see if something changes.
Gabriele
-= Sent using Webtop 5 =-
Da: zloster <more@edno.moe>
A: Dave Cramer <pg@fastcrypt.com>Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 19 settembre 2018 9.21.03 CEST
Oggetto: Re: ssl connection issues
-= Sent using Webtop 5 =-
 | Gabriele Bulfon - Sonicle S.r.l. Tel +39 028246016 - Fax +39 028243880 Strada 6, Palazzo A13 - 20090 - Assago Milanofiori - MI http://www.sonicle.com |
Da: zloster <more@edno.moe>
A: Dave Cramer <pg@fastcrypt.com>Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 19 settembre 2018 9.21.03 CEST
Oggetto: Re: ssl connection issues
On 18.09.2018 18:27, Dave Cramer wrote:Hi to all,On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.Is there any way to log more stuff on the server postgres.log about the ssl handshake?I'm sure there is but I don't know how. The server is not my domain.Try connecting with psql. If you can connect with that then JDBC should be able to connect.
IMO it will be better to inspect the SSL/TLS handshake at the client - the machine that is initiating the connection to the PostgreSQL server through the JDBC driver.
Here are some links with the basic stuff about debugging the SSL/TLS connections with the JVM:I've used the debug output once - I've needed to investigate why communication with test HTTPS endpoint is working from a browser but not from a Java 8 program. After nearly one day of looking at the connection logs the problem turned out to be in the certificate chain - the browser was happy with the intermediate certificates, but the JVM was not.
- https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https - this is an introduction document. It points to the following two pages. The first is describing what debug tools are available and the second shows how to read the debug output:
- https://access.redhat.com/solutions/973783 - same as the above but in Q&A style
Best regards,
zloster
From an outside SA view, I have to ask, did you import your cert into the JAVA cacerts file?
I see a slew of SSL application problems weekly that are generated by the local JAVA installation not
Having any generated/local host certs imported used by developer applications. If you have multiple versions
Of java ensure you import your cert into each of their cacerts. This is more a problem on windows than linux.
James Davis
SSAI contractor
Lites II Systems Administrator
NASA Langley Research Center
Hampton, VA. 23666
Office: 757-864-2731
Cell: 757-580-6398
From: Gabriele Bulfon <gabriele.bulfon@sonicle.com>
Reply-To: Gabriele Bulfon <gabriele.bulfon@sonicle.com>
Date: Thursday, September 20, 2018 at 5:16 AM
To: zloster <more@edno.moe>, Dave Cramer <pg@fastcrypt.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>, "pgsql-jdbc@lists.postgresql.org" <pgsql-jdbc@lists.postgresql.org>
Subject: Re: ssl connection issues
Thanks, I tried enabling all the client debug infos, but didn't get much from them.
I will try to create certs from scratch, using the openssl tool instead of easy-rsa, and see if something changes.
Gabriele
-= Sent using Webtop 5 =-
| Gabriele Bulfon - Sonicle S.r.l. |
Da: zloster <more@edno.moe>
A: Dave Cramer <pg@fastcrypt.com>Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 19 settembre 2018 9.21.03 CEST
Oggetto: Re: ssl connection issues
On 18.09.2018 18:27, Dave Cramer wrote:
On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.
These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.
Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.
Is there any way to log more stuff on the server postgres.log about the ssl handshake?
I'm sure there is but I don't know how. The server is not my domain.
Try connecting with psql. If you can connect with that then JDBC should be able to connect.
Dave Cramer
davec@postgresintl.comHi to all,
IMO it will be better to inspect the SSL/TLS handshake at the client - the machine that is initiating the connection to the PostgreSQL server through the JDBC driver.
Here are some links with the basic stuff about debugging the SSL/TLS connections with the JVM:
- https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https - this is an introduction document. It points to the following two pages. The first is describing what debug tools are available and the second shows how to read the debug output:
- https://access.redhat.com/solutions/973783 - same as the above but in Q&A style
I've used the debug output once - I've needed to investigate why communication with test HTTPS endpoint is working from a browser but not from a Java 8 program. After nearly one day of looking at the connection logs the problem turned out to be in the certificate chain - the browser was happy with the intermediate certificates, but the JVM was not.
Best regards,
zloster
Hello,
I have been able to replicate this problem and setting
tlsProperties.setProperty(SSL_PASSWORD.getName(),"");
or the correct ssl password should work
On Thu, 20 Sep 2018 at 08:48, Davis, James A. (LARC-D318)[LITES II] <james.a.davis-1@nasa.gov> wrote:
From an outside SA view, I have to ask, did you import your cert into the JAVA cacerts file?
I see a slew of SSL application problems weekly that are generated by the local JAVA installation not
Having any generated/local host certs imported used by developer applications. If you have multiple versions
Of java ensure you import your cert into each of their cacerts. This is more a problem on windows than linux.
James Davis
SSAI contractor
Lites II Systems Administrator
NASA Langley Research Center
Hampton, VA. 23666
Office: 757-864-2731
Cell: 757-580-6398
From: Gabriele Bulfon <gabriele.bulfon@sonicle.com>
Reply-To: Gabriele Bulfon <gabriele.bulfon@sonicle.com>
Date: Thursday, September 20, 2018 at 5:16 AM
To: zloster <more@edno.moe>, Dave Cramer <pg@fastcrypt.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>, "pgsql-jdbc@lists.postgresql.org" <pgsql-jdbc@lists.postgresql.org>
Subject: Re: ssl connection issues
Thanks, I tried enabling all the client debug infos, but didn't get much from them.
I will try to create certs from scratch, using the openssl tool instead of easy-rsa, and see if something changes.
Gabriele
-= Sent using Webtop 5 =-
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 - Fax +39 028243880
Strada 6, Palazzo A13 - 20090 - Assago Milanofiori - MI
http://www.sonicle.com
Da: zloster <more@edno.moe>
A: Dave Cramer <pg@fastcrypt.com>Gabriele Bulfon <gbulfon@sonicle.com>
Cc: Alexander Kjäll <alexander.kjall@gmail.com>pgsql-jdbc@lists.postgresql.org
Data: 19 settembre 2018 9.21.03 CEST
Oggetto: Re: ssl connection issuesOn 18.09.2018 18:27, Dave Cramer wrote:
On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <gbulfon@sonicle.com> wrote:
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.
These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.
Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.
Is there any way to log more stuff on the server postgres.log about the ssl handshake?
I'm sure there is but I don't know how. The server is not my domain.
Try connecting with psql. If you can connect with that then JDBC should be able to connect.
Dave Cramer
davec@postgresintl.comHi to all,
IMO it will be better to inspect the SSL/TLS handshake at the client - the machine that is initiating the connection to the PostgreSQL server through the JDBC driver.
Here are some links with the basic stuff about debugging the SSL/TLS connections with the JVM:
- https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https - this is an introduction document. It points to the following two pages. The first is describing what debug tools are available and the second shows how to read the debug output:
- https://access.redhat.com/solutions/973783 - same as the above but in Q&A style
I've used the debug output once - I've needed to investigate why communication with test HTTPS endpoint is working from a browser but not from a Java 8 program. After nearly one day of looking at the connection logs the problem turned out to be in the certificate chain - the browser was happy with the intermediate certificates, but the JVM was not.
Best regards,
zloster