Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I am having quite a time trying to get postgresql v9.5 to talk over SSL on Ubuntu Xenial, running openssl v1.0.1f. Previously my setup was Ubuntu Trusty, and this works fine.

The questions I have based on the info below:

- It is the openssl s_client side that is triggering the handshake failure. Is there a way to get openssl to log why the handshake failed in the returned error message? Verification depth issue? No path to requested target? Something else?

- What is the significance of "no peer certificate available”? A tcpdump and the ssldump shows that three certificates are sent by the postgresql server, why would openssl claim no certificates were sent?

- The same certificates work fine in Ubuntu Trusty, they don’t work in Ubuntu Xenial. The certs are SHA256 certs, and consist of a root, two intermediates and a leaf cert. The postgresql server provides the two intermediates and the leaf cert, and the root as passed in -CAfile.

- Are there any known incompatibility issues with openssl on Xenial?

When I attempt to connect to postgresql using openssl s_client, I get this:

postgres@sql02:~$ openssl s_client -verify 10 -CAfile .postgresql/root.crt -key .postgresql/postgresql.key -cert .postgresql/postgresql.crt -connect sql01:5432 -servername sql01
verify depth is 10
CONNECTED(00000003)
139930468939416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 379 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510188432
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
—

ssldump confirms that it is the client side - that’s openssl - that’s rejecting the handshake and returning unknown ca:

New TCP connection #42: 172.29.231.43(33116) <-> 172.29.228.240(5432)
42 1  0.0038 (0.0038)  C>SV3.1(300)  Handshake
      ClientHello
        Version 3.3 
        random[32]=
          80 cf 99 66 b3 07 55 c2 3f cf b2 61 13 39 89 c1 
          33 37 f4 77 21 a3 fd 2e f9 fa 9b 65 4e b5 bd 24 
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02c
        Unknown value 0xc028
        Unknown value 0xc024
        Unknown value 0xc014
        Unknown value 0xc00a
        Unknown value 0xa5
        Unknown value 0xa3
        Unknown value 0xa1
        Unknown value 0x9f
        Unknown value 0x6b
        Unknown value 0x6a
        Unknown value 0x69
        Unknown value 0x68
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_DH_RSA_WITH_AES_256_CBC_SHA
        TLS_DH_DSS_WITH_AES_256_CBC_SHA
        Unknown value 0x88
        Unknown value 0x87
        Unknown value 0x86
        Unknown value 0x85
        Unknown value 0xc032
        Unknown value 0xc02e
        Unknown value 0xc02a
        Unknown value 0xc026
        Unknown value 0xc00f
        Unknown value 0xc005
        Unknown value 0x9d
        Unknown value 0x3d
        TLS_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0x84
        Unknown value 0xc02f
        Unknown value 0xc02b
        Unknown value 0xc027
        Unknown value 0xc023
        Unknown value 0xc013
        Unknown value 0xc009
        Unknown value 0xa4
        Unknown value 0xa2
        Unknown value 0xa0
        Unknown value 0x9e
        TLS_DHE_DSS_WITH_NULL_SHA
        Unknown value 0x40
        Unknown value 0x3f
        Unknown value 0x3e
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_DH_RSA_WITH_AES_128_CBC_SHA
        TLS_DH_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0x9a
        Unknown value 0x99
        Unknown value 0x98
        Unknown value 0x97
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0x43
        Unknown value 0x42
        Unknown value 0xc031
        Unknown value 0xc02d
        Unknown value 0xc029
        Unknown value 0xc025
        Unknown value 0xc00e
        Unknown value 0xc004
        Unknown value 0x9c
        Unknown value 0x3c
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0x96
        Unknown value 0x41
        Unknown value 0xc011
        Unknown value 0xc007
        Unknown value 0xc00c
        Unknown value 0xc002
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0xc012
        Unknown value 0xc008
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xff
        compression methods
                  NULL
42 2  0.0056 (0.0017)  S>CV3.3(62)  Handshake
      ServerHello
        Version 3.3 
        random[32]=
          f9 4d fa 63 ee d5 65 6d ba dd 58 de 51 00 8e ac 
          9f 45 24 43 e2 17 88 07 41 9a 8d aa 7f 95 2a 13 
        session_id[0]=

        cipherSuite         Unknown value 0xc030
        compressionMethod                   NULL
42 3  0.0056 (0.0000)  S>CV3.3(3345)  Handshake
      Certificate
        certificate[1329]=[snip]
        certificate[1010]=[snip]
        certificate[990]=[snip]
42 4  0.0056 (0.0000)  S>CV3.3(333)  Handshake
      ServerKeyExchange
42 5  0.0056 (0.0000)  S>CV3.3(179)  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
        certificate_types                 unknown value
Not enough data. Found 163 bytes (expecting 32767)
      ServerHelloDone
42 6  0.0061 (0.0004)  C>SV3.3(2)  Alert
    level           fatal
    value           unknown_ca
42    0.0062 (0.0001)  C>S  TCP RST

Regards,
Graham
—

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux