Misconfiguration on SSL for download.postgresql.org ?

Hi at all,
since some day's all our servers can't download updates for the RPM
packages of PostgreSQL.

Error:
Errors during downloading metadata for repository 'pgdg-common':
- Curl error (35): SSL connect error for
https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml
[error:0A000410:SSL routines::sslv3 alert handshake failure]
Fehler: Failed to download metadata for repo 'pgdg-common': Cannot
download repomd.xml: Cannot download repodata/repomd.xml: All mirrors
were tried

After checking the site via nmap:
nmap -p 443 download.postgresql.org --script ssl-enum-ciphers
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A

I found the problem, the "x25519" ciphers are missing.
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A

Which are need on systems where the NIST curves are blocked for security
reasons.

So please re enable the x25519 curve.

Thanks

--
*Frank Büttner*
IT

MDC Berlin-Buch
Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft
Robert-Rössle-Straße 10
13125 Berlin

☎ +49 30 9406 2038
℻ +49 30 9406 2599
✉ frank(dot)buettner(at)mdc-berlin(dot)de