Quick Links

Re: ssl connection issues

From:	Gabriele Bulfon <gbulfon(at)sonicle(dot)com>
To:	Dave Cramer <pg(at)fastcrypt(dot)com>, Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
Cc:	pgsql-jdbc(at)lists(dot)postgresql(dot)org
Subject:	Re: ssl connection issues
Date:	2018-09-18 13:42:47
Message-ID:	1954323705.1855.1537278167094@www
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-jdbc

I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:

Postgres logs "could not accept SSL connection: ccs received early"

The Java code throws the exception:

Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.
(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.
(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more

Sonicle S.r.l.
:
http://www.sonicle.com
Music:
http://www.gabrielebulfon.com
Quantum Mechanics :
http://www.cdbaby.com/cd/gabrielebulfon
Da:
Dave Cramer
A:
Alexander Kjäll
Cc:
pgsql-jdbc(at)lists(dot)postgresql(dot)org
Data:
17 settembre 2018 12.38.18 CEST
Oggetto:
Re: ssl connection issues

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll
alexander(dot)kjall(at)gmail(dot)com
wrote:
Another avenue for debugging would be to get a free "real" certificate
from
https://letsencrypt.org/
and check if that works.
That way you can see if it's something in your certificate creation
process that causes trouble.
//Alexander Kjäll
On 17. sep. 2018 11:56, Mark Rotteveel wrote:
On 2018-09-17 11:23, Gabriele Bulfon wrote:
That may be a possibility, but given that I cannot upgrade at the
moment, how can I check this and maybe change the required cipher to
match?
Debugging SSL problems is not really something I do regularly, but you
may want to see if changing the settings in the java.security policy
helps. Settings to try are:
jdk.tls.disabledAlgorithms
jdk.certpath.disabledAlgorithms
For reference:
Java 8 Update 31, disabled SSLv3:
http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html
,
Java 8 Update 51, disabled some cipher suites, and limitations for DH
keys where added:
http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html
,
similar for Java 8 Update 60:
http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
Java 8 update 71 disabled MD5 hash validation of certificates
Java 8 update 121 added restrictions on DSA keysize:
http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
Java 8 update 161 added limitations for DH keys, made some changes to
certificate validation and disabled a number of cipher suites:
http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
Java 8 update 171 disabled some ciphersuites:
http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
Mark

have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??

Dave Cramer
davec(at)postgresintl(dot)com
www.postgresintl.com

In response to

Re: ssl connection issues at 2018-09-17 10:38:18 from Dave Cramer

Responses

Re: ssl connection issues at 2018-09-18 13:53:20 from Dave Cramer

Browse pgsql-jdbc by date

	From	Date	Subject
Next Message	Dave Cramer	2018-09-18 13:53:20	Re: ssl connection issues
Previous Message	Dave Cramer	2018-09-17 10:38:18	Re: ssl connection issues