Re: ssl connection issues

On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <gbulfon(at)sonicle(dot)com> wrote:

> The only server cert known to me that is needed to the client is the
> root.crt (the ca cert) of the server used to sign the client cert.
> These three files are all that is needed to the odbc driver, to the native
> navicat dll connection, and to any other certs-based ssl connection such as
> openvpn.
> Actually the jdbc code is not complaining about the certs (if I remove any
> of them it will complain), something is going wrong during the ssl
> handshake that I cannot understand.
>
> Is there any way to log more stuff on the server postgres.log about the
> ssl handshake?
>

I'm sure there is but I don't know how. The server is not my domain.

Try connecting with psql. If you can connect with that then JDBC should be
able to connect.

Dave Cramer

davec(at)postgresintl(dot)com
www.postgresintl.com

> Gabriele
>
> *Sonicle S.r.l. *: http://www.sonicle.com
> *Music: *http://www.gabrielebulfon.com
> *Quantum Mechanics : *http://www.cdbaby.com/cd/gabrielebulfon
>
> ------------------------------
>
>
> *Da:* Dave Cramer <pg(at)fastcrypt(dot)com>
> *A:* Gabriele Bulfon <gbulfon(at)sonicle(dot)com>
> *Cc:* Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
> pgsql-jdbc(at)lists(dot)postgresql(dot)org
> *Data:* 18 settembre 2018 16.06.14 CEST
> *Oggetto:* Re: ssl connection issues
>
>
> The java client needs the server crt as well. Did you provide that to java
> ?
>
> Dave Cramer
>
> davec(at)postgresintl(dot)com
> www.postgresintl.com
>
> On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <gbulfon(at)sonicle(dot)com> wrote:
>
>> I used easy-rsa, same tools I use for OpenVPN.
>> Just cloned the easy-rsa tools to a specific new folder configured for
>> Postgres and ran in sequence:
>>
>> . ./vars
>> ./clean-all
>> ./build-ca
>> ./build-dh
>> ./build-key-server server
>>
>> copied server.key, server.crt and ca.crt to my pgdata as server.key,
>> server.crt and root.crt , configured postgres.conf with the server cert
>> names and restarted postgres.
>>
>> Then I built the client certificate with "./build-key client" speicifying
>> the needed postgres user as dn.
>> They all works great on both Navicat and ODBC.
>>
>> Gabriele
>>
>> *Sonicle S.r.l. *: http://www.sonicle.com
>> *Music: *http://www.gabrielebulfon.com
>> *Quantum Mechanics : *http://www.cdbaby.com/cd/gabrielebulfon
>>
>> ------------------------------
>>
>>
>> *Da:* Dave Cramer <pg(at)fastcrypt(dot)com>
>> *A:* Gabriele Bulfon <gbulfon(at)sonicle(dot)com>
>> *Cc:* Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
>> pgsql-jdbc(at)lists(dot)postgresql(dot)org
>> *Data:* 18 settembre 2018 15.53.20 CEST
>> *Oggetto:* Re: ssl connection issues
>>
>>
>> Hi Gabriele,
>>
>> Can you share your entire setup? How you are creating the certs, etc ?
>>
>>
>> Dave Cramer
>>
>> davec(at)postgresintl(dot)com
>> www.postgresintl.com
>>
>> On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon(at)sonicle(dot)com>
>> wrote:
>>
>>> I had a chance to clone the illumos zone to a separate server and
>>> upgrade postgres to latest 10.5.
>>> The results are the same:
>>>
>>> Postgres logs "could not accept SSL connection: ccs received early"
>>>
>>> The Java code throws the exception:
>>>
>>> Exception in thread "main" org.postgresql.util.PSQLException: SSL error:
>>> Received fatal alert: unexpected_message
>>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
>>> at
>>> org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
>>> at
>>> org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
>>> at
>>> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
>>> at
>>> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
>>> at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
>>> at org.postgresql.Driver.makeConnection(Driver.java:454)
>>> at org.postgresql.Driver.connect(Driver.java:256)
>>> at java.sql.DriverManager.getConnection(DriverManager.java:664)
>>> at java.sql.DriverManager.getConnection(DriverManager.java:247)
>>> at
>>> com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
>>> Caused by: javax.net.ssl.SSLException: Received fatal alert:
>>> unexpected_message
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
>>> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
>>> at
>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
>>> ... 10 more
>>> set 18, 2018 3:35:15 PM org.postgresql.Driver connect
>>> BUONO: Connecting with URL:
>>> jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
>>> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
>>> BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
>>> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection
>>> setDefaultFetchSize
>>> BUONO: setDefaultFetchSize = 0
>>> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection
>>> setPrepareThreshold
>>> BUONO: setPrepareThreshold = 5
>>> set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl
>>> openConnectionImpl
>>> BUONO: Trying to establish a protocol version 3 connection to
>>> x.x.x.x:5432
>>> set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
>>> BUONO: converting regular socket connection to ssl
>>> set 18, 2018 3:35:16 PM org.postgresql.Driver connect
>>> BUONO: Connection error:
>>> org.postgresql.util.PSQLException: SSL error: Received fatal alert:
>>> unexpected_message
>>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
>>> at
>>> org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
>>> at
>>> org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
>>> at
>>> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
>>> at
>>> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
>>> at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
>>> at org.postgresql.Driver.makeConnection(Driver.java:454)
>>> at org.postgresql.Driver.connect(Driver.java:256)
>>> at java.sql.DriverManager.getConnection(DriverManager.java:664)
>>> at java.sql.DriverManager.getConnection(DriverManager.java:247)
>>> at
>>> com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
>>> Caused by: javax.net.ssl.SSLException: Received fatal alert:
>>> unexpected_message
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
>>> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
>>> at
>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
>>> ... 10 more
>>>
>>>
>>>
>>> *Sonicle S.r.l. *: http://www.sonicle.com
>>> *Music: *http://www.gabrielebulfon.com
>>> *Quantum Mechanics : *http://www.cdbaby.com/cd/gabrielebulfon
>>>
>>> ------------------------------
>>>
>>>
>>> *Da:* Dave Cramer <pg(at)fastcrypt(dot)com>
>>> *A:* Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
>>> *Cc:* pgsql-jdbc(at)lists(dot)postgresql(dot)org
>>> *Data:* 17 settembre 2018 12.38.18 CEST
>>> *Oggetto:* Re: ssl connection issues
>>>
>>>
>>>
>>>
>>>
>>> On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
>>> wrote:
>>>
>>>> Another avenue for debugging would be to get a free "real" certificate
>>>> from https://letsencrypt.org/ and check if that works.
>>>>
>>>> That way you can see if it's something in your certificate creation
>>>> process that causes trouble.
>>>>
>>>> //Alexander Kjäll
>>>>
>>>> On 17. sep. 2018 11:56, Mark Rotteveel wrote:
>>>> > On 2018-09-17 11:23, Gabriele Bulfon wrote:
>>>> >> That may be a possibility, but given that I cannot upgrade at the
>>>> >> moment, how can I check this and maybe change the required cipher to
>>>> >> match?
>>>> >
>>>> > Debugging SSL problems is not really something I do regularly, but
>>>> you
>>>> > may want to see if changing the settings in the java.security policy
>>>> > helps. Settings to try are:
>>>> >
>>>> > jdk.tls.disabledAlgorithms
>>>> > jdk.certpath.disabledAlgorithms
>>>> >
>>>> > For reference:
>>>> >
>>>> > Java 8 Update 31, disabled SSLv3:
>>>> >
>>>> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html
>>>> ,
>>>> > Java 8 Update 51, disabled some cipher suites, and limitations for DH
>>>> > keys where added:
>>>> >
>>>> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html
>>>> ,
>>>> > similar for Java 8 Update 60:
>>>> >
>>>> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
>>>> > Java 8 update 71 disabled MD5 hash validation of certificates
>>>> > Java 8 update 121 added restrictions on DSA keysize:
>>>> >
>>>> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
>>>> > Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
>>>> >
>>>> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
>>>> > Java 8 update 161 added limitations for DH keys, made some changes to
>>>> > certificate validation and disabled a number of cipher suites:
>>>> >
>>>> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
>>>> > Java 8 update 171 disabled some ciphersuites:
>>>> >
>>>> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>>>> >
>>>> > Mark
>>>> >
>>>
>>>
>>>
>>> have a look at certdir in the source code. Setting up the ssl tests is
>>> not particularly difficult. Perhaps getting our tests working first might
>>> shed some light ??
>>>
>>> Dave Cramer
>>>
>>> davec(at)postgresintl(dot)com
>>> www.postgresintl.com
>>>
>>>