Re: Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Graham Leggett
> Sent: Thursday, November 09, 2017 06:18
> To: openssl-users@xxxxxxxxxxx
> Subject: Re:  Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

> On 09 Nov 2017, at 4:17 AM, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:

> > Yeah. TLSv1.2, no cipher. My guess is the server is allowing the 1.2 protocol level but not
> > supporting any of the 1.2 suites.

> Does this definitely mean no cipher, or could it mean “I failed earlier in the process before 
> I took note of the cipher, like with the no peer certificate available"?

Well, in this case it seems to mean "the server and I agreed on a cipher suite, but the server didn't do the thing it needed to do to make that suite usable".

> > Hmm. This claims they agreed on TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Maybe
> > no ECC curves in common for ECDHE Kx?

> This is openssl v1.0.1f (ubuntu xenial) talking to openssl v1.0.1f (ubuntu xenial), although
> trying openssl as shipped by MacOS Sierra on the client side gives the same result.

At least prior to 1.1.0, to use ECC in OpenSSL the application has to make some additional calls. (I don't remember offhand how much of this goes away in the 1.1.0 API.) So it's quite possible for two applications using stock OpenSSL 1.0.x to fail to use an ECC suite.

> I set the ciphers explicitly on the server side to DEFAULT and got the same result (eliminating
> whatever weird settings postgresql-on-ubuntu might have as a default).

DEFAULT includes ECC suites. You should try something like DEFAULT:!ECDHE:!ECDH to eliminate the ECC Kx suites.

> When openssl v1.0.2m tries to connect to postgresql running openssl v1.0.1f (ubuntu xenial), I get different behaviour:
> ...
> 2017-11-09 11:01:19 UTC [12025-1] [unknown]@[unknown] LOG:  invalid length of startup packet

Offhand, I don't know what the problem is here.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux