Re: buildfarm server suddenly not talking to old SSL stacks?

On 2018-Jul-16, Tom Lane wrote:

> My buildfarm animals dromedary and prairiedog have been failing since
> around 9AM EDT on Sunday. The buildfarm script output isn't very
> detailed:
>
> getting branches of interest (https://buildfarm.postgresql.org/branches_of_inte\
> rest.txt) at ./run_branches.pl line 129.
>
> but trying it manually yields
>
> $ curl https://buildfarm.postgresql.org/branches_of_interest.txt
> curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
>
> The same thing works fine on newer machines though, as does fetching with
> http: instead of https:. Have we done something recently to create an
> incompatibility with old SSL stacks?

Yeah, there were a few updates that day at 11am UTC; particularly the
ca-certificates package was updated (to version 20161130+nmu1+deb9u1).
I don't know why this would be significant (is the server trying to
verify the client's cert?), but here's the changelog:

ca-certificates (20161130+nmu1+deb9u1) stretch; urgency=medium

* debian/ca-certificates.postinst:
Prevent postinst failure on read-only /usr/local. Closes: #843722
* debian/control:
Remove Christian Perrier from uploaders at his request. Closes: #894070
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.22.
Closes: #858064
The following certificate authorities were added (+):
+ "AC RAIZ FNMT-RCM"
+ "Amazon Root CA 1"
+ "Amazon Root CA 2"
+ "Amazon Root CA 3"
+ "Amazon Root CA 4"
+ "D-TRUST Root CA 3 2013"
+ "GDCA TrustAUTH R5 ROOT"
+ "LuxTrust Global Root 2"
+ "SSL.com EV Root Certification Authority ECC"
+ "SSL.com EV Root Certification Authority RSA R2"
+ "SSL.com Root Certification Authority ECC"
+ "SSL.com Root Certification Authority RSA"
+ "Symantec Class 1 Public Primary Certification Authority - G4"
+ "Symantec Class 1 Public Primary Certification Authority - G6"
+ "Symantec Class 2 Public Primary Certification Authority - G4"
+ "Symantec Class 2 Public Primary Certification Authority - G6"
+ "TrustCor ECA-1"
+ "TrustCor RootCert CA-1"
+ "TrustCor RootCert CA-2"
+ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
The following certificate authorities were removed (-):
- "ACEDICOM Root"
- "AddTrust Public Services Root"
- "AddTrust Qualified Certificates Root"
- "ApplicationCA - Japanese Government"
- "Buypass Class 2 CA 1"
- "CA Disig Root R1"
- "Certinomis - Autorité Racine"
- "China Internet Network Information Center EV Certificates Root"
- "CNNIC ROOT"
- "Comodo Secure Services root"
- "Comodo Trusted Services root"
- "DST ACES CA X6"
- "EBG Elektronik Sertifika Hizmet Saglayicisi"
- "Equifax Secure CA"
- "Equifax Secure eBusiness CA 1"
- "Equifax Secure Global eBusiness CA"
- "GeoTrust Global CA 2"
- "IGC/A"
- "Juur-SK"
- "Microsec e-Szigno Root CA"
- "PSCProcert"
- "Root CA Generalitat Valenciana"
- "RSA Security 2048 v3"
- "Security Communication EV RootCA1"
- "S-TRUST Authentication and Encryption Root CA 2005 PN"
- "Swisscom Root CA 1"
- "Swisscom Root EV CA 2"
- "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- "TURKTRUST Certificate Services Provider Root 2007"
- "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
- "UTN USERFirst Hardware Root CA"
- "Verisign Class 1 Public Primary Certification Authority"
- "Verisign Class 2 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"
- "WellsSecure Public Root Certificate Authority"

-- Michael Shuler <michael(at)pbandjelly(dot)org> Sat, 07 Jul 2018 01:08:40 +0200

--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services