Re: ssl connection issues

Hi Gabriele,

Can you share your entire setup? How you are creating the certs, etc ?

Dave Cramer

davec(at)postgresintl(dot)com
www.postgresintl.com

On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon(at)sonicle(dot)com> wrote:

> I had a chance to clone the illumos zone to a separate server and upgrade
> postgres to latest 10.5.
> The results are the same:
>
> Postgres logs "could not accept SSL connection: ccs received early"
>
> The Java code throws the exception:
>
> Exception in thread "main" org.postgresql.util.PSQLException: SSL error:
> Received fatal alert: unexpected_message
> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
> at
> org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
> at
> org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
> at
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
> at
> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
> at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
> at org.postgresql.Driver.makeConnection(Driver.java:454)
> at org.postgresql.Driver.connect(Driver.java:256)
> at java.sql.DriverManager.getConnection(DriverManager.java:664)
> at java.sql.DriverManager.getConnection(DriverManager.java:247)
> at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
> Caused by: javax.net.ssl.SSLException: Received fatal alert:
> unexpected_message
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
> ... 10 more
> set 18, 2018 3:35:15 PM org.postgresql.Driver connect
> BUONO: Connecting with URL:
> jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
> BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection
> setDefaultFetchSize
> BUONO: setDefaultFetchSize = 0
> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection
> setPrepareThreshold
> BUONO: setPrepareThreshold = 5
> set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl
> openConnectionImpl
> BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
> set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
> BUONO: converting regular socket connection to ssl
> set 18, 2018 3:35:16 PM org.postgresql.Driver connect
> BUONO: Connection error:
> org.postgresql.util.PSQLException: SSL error: Received fatal alert:
> unexpected_message
> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
> at
> org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
> at
> org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
> at
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
> at
> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
> at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
> at org.postgresql.Driver.makeConnection(Driver.java:454)
> at org.postgresql.Driver.connect(Driver.java:256)
> at java.sql.DriverManager.getConnection(DriverManager.java:664)
> at java.sql.DriverManager.getConnection(DriverManager.java:247)
> at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
> Caused by: javax.net.ssl.SSLException: Received fatal alert:
> unexpected_message
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
> ... 10 more
>
>
>
> *Sonicle S.r.l. *: http://www.sonicle.com
> *Music: *http://www.gabrielebulfon.com
> *Quantum Mechanics : *http://www.cdbaby.com/cd/gabrielebulfon
>
> ------------------------------
>
>
> *Da:* Dave Cramer <pg(at)fastcrypt(dot)com>
> *A:* Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
> *Cc:* pgsql-jdbc(at)lists(dot)postgresql(dot)org
> *Data:* 17 settembre 2018 12.38.18 CEST
> *Oggetto:* Re: ssl connection issues
>
>
>
>
>
> On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
> wrote:
>
>> Another avenue for debugging would be to get a free "real" certificate
>> from https://letsencrypt.org/ and check if that works.
>>
>> That way you can see if it's something in your certificate creation
>> process that causes trouble.
>>
>> //Alexander Kjäll
>>
>> On 17. sep. 2018 11:56, Mark Rotteveel wrote:
>> > On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> >> That may be a possibility, but given that I cannot upgrade at the
>> >> moment, how can I check this and maybe change the required cipher to
>> >> match?
>> >
>> > Debugging SSL problems is not really something I do regularly, but you
>> > may want to see if changing the settings in the java.security policy
>> > helps. Settings to try are:
>> >
>> > jdk.tls.disabledAlgorithms
>> > jdk.certpath.disabledAlgorithms
>> >
>> > For reference:
>> >
>> > Java 8 Update 31, disabled SSLv3:
>> >
>> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
>> > Java 8 Update 51, disabled some cipher suites, and limitations for DH
>> > keys where added:
>> >
>> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
>> > similar for Java 8 Update 60:
>> >
>> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
>> > Java 8 update 71 disabled MD5 hash validation of certificates
>> > Java 8 update 121 added restrictions on DSA keysize:
>> >
>> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
>> > Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
>> >
>> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
>> > Java 8 update 161 added limitations for DH keys, made some changes to
>> > certificate validation and disabled a number of cipher suites:
>> >
>> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
>> > Java 8 update 171 disabled some ciphersuites:
>> >
>> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>> >
>> > Mark
>> >
>
>
>
> have a look at certdir in the source code. Setting up the ssl tests is not
> particularly difficult. Perhaps getting our tests working first might shed
> some light ??
>
> Dave Cramer
>
> davec(at)postgresintl(dot)com
> www.postgresintl.com
>
>