Re: ssl connection issues

The java client needs the server crt as well. Did you provide that to java ?

Dave Cramer

davec(at)postgresintl(dot)com
www.postgresintl.com

On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <gbulfon(at)sonicle(dot)com> wrote:

> I used easy-rsa, same tools I use for OpenVPN.
> Just cloned the easy-rsa tools to a specific new folder configured for
> Postgres and ran in sequence:
>
> . ./vars
> ./clean-all
> ./build-ca
> ./build-dh
> ./build-key-server server
>
> copied server.key, server.crt and ca.crt to my pgdata as server.key,
> server.crt and root.crt , configured postgres.conf with the server cert
> names and restarted postgres.
>
> Then I built the client certificate with "./build-key client" speicifying
> the needed postgres user as dn.
> They all works great on both Navicat and ODBC.
>
> Gabriele
>
> *Sonicle S.r.l. *: http://www.sonicle.com
> *Music: *http://www.gabrielebulfon.com
> *Quantum Mechanics : *http://www.cdbaby.com/cd/gabrielebulfon
>
> ------------------------------
>
>
> *Da:* Dave Cramer <pg(at)fastcrypt(dot)com>
> *A:* Gabriele Bulfon <gbulfon(at)sonicle(dot)com>
> *Cc:* Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
> pgsql-jdbc(at)lists(dot)postgresql(dot)org
> *Data:* 18 settembre 2018 15.53.20 CEST
> *Oggetto:* Re: ssl connection issues
>
>
> Hi Gabriele,
>
> Can you share your entire setup? How you are creating the certs, etc ?
>
>
> Dave Cramer
>
> davec(at)postgresintl(dot)com
> www.postgresintl.com
>
> On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <gbulfon(at)sonicle(dot)com> wrote:
>
>> I had a chance to clone the illumos zone to a separate server and upgrade
>> postgres to latest 10.5.
>> The results are the same:
>>
>> Postgres logs "could not accept SSL connection: ccs received early"
>>
>> The Java code throws the exception:
>>
>> Exception in thread "main" org.postgresql.util.PSQLException: SSL error:
>> Received fatal alert: unexpected_message
>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
>> at
>> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
>> at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
>> at org.postgresql.Driver.makeConnection(Driver.java:454)
>> at org.postgresql.Driver.connect(Driver.java:256)
>> at java.sql.DriverManager.getConnection(DriverManager.java:664)
>> at java.sql.DriverManager.getConnection(DriverManager.java:247)
>> at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
>> Caused by: javax.net.ssl.SSLException: Received fatal alert:
>> unexpected_message
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
>> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
>> ... 10 more
>> set 18, 2018 3:35:15 PM org.postgresql.Driver connect
>> BUONO: Connecting with URL:
>> jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
>> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
>> BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
>> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection
>> setDefaultFetchSize
>> BUONO: setDefaultFetchSize = 0
>> set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection
>> setPrepareThreshold
>> BUONO: setPrepareThreshold = 5
>> set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl
>> openConnectionImpl
>> BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
>> set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
>> BUONO: converting regular socket connection to ssl
>> set 18, 2018 3:35:16 PM org.postgresql.Driver connect
>> BUONO: Connection error:
>> org.postgresql.util.PSQLException: SSL error: Received fatal alert:
>> unexpected_message
>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
>> at
>> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
>> at
>> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
>> at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
>> at org.postgresql.Driver.makeConnection(Driver.java:454)
>> at org.postgresql.Driver.connect(Driver.java:256)
>> at java.sql.DriverManager.getConnection(DriverManager.java:664)
>> at java.sql.DriverManager.getConnection(DriverManager.java:247)
>> at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
>> Caused by: javax.net.ssl.SSLException: Received fatal alert:
>> unexpected_message
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
>> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>> at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
>> ... 10 more
>>
>>
>>
>> *Sonicle S.r.l. *: http://www.sonicle.com
>> *Music: *http://www.gabrielebulfon.com
>> *Quantum Mechanics : *http://www.cdbaby.com/cd/gabrielebulfon
>>
>> ------------------------------
>>
>>
>> *Da:* Dave Cramer <pg(at)fastcrypt(dot)com>
>> *A:* Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
>> *Cc:* pgsql-jdbc(at)lists(dot)postgresql(dot)org
>> *Data:* 17 settembre 2018 12.38.18 CEST
>> *Oggetto:* Re: ssl connection issues
>>
>>
>>
>>
>>
>> On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
>> wrote:
>>
>>> Another avenue for debugging would be to get a free "real" certificate
>>> from https://letsencrypt.org/ and check if that works.
>>>
>>> That way you can see if it's something in your certificate creation
>>> process that causes trouble.
>>>
>>> //Alexander Kjäll
>>>
>>> On 17. sep. 2018 11:56, Mark Rotteveel wrote:
>>> > On 2018-09-17 11:23, Gabriele Bulfon wrote:
>>> >> That may be a possibility, but given that I cannot upgrade at the
>>> >> moment, how can I check this and maybe change the required cipher to
>>> >> match?
>>> >
>>> > Debugging SSL problems is not really something I do regularly, but you
>>> > may want to see if changing the settings in the java.security policy
>>> > helps. Settings to try are:
>>> >
>>> > jdk.tls.disabledAlgorithms
>>> > jdk.certpath.disabledAlgorithms
>>> >
>>> > For reference:
>>> >
>>> > Java 8 Update 31, disabled SSLv3:
>>> >
>>> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html
>>> ,
>>> > Java 8 Update 51, disabled some cipher suites, and limitations for DH
>>> > keys where added:
>>> >
>>> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html
>>> ,
>>> > similar for Java 8 Update 60:
>>> >
>>> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
>>> > Java 8 update 71 disabled MD5 hash validation of certificates
>>> > Java 8 update 121 added restrictions on DSA keysize:
>>> >
>>> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
>>> > Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
>>> >
>>> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
>>> > Java 8 update 161 added limitations for DH keys, made some changes to
>>> > certificate validation and disabled a number of cipher suites:
>>> >
>>> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
>>> > Java 8 update 171 disabled some ciphersuites:
>>> >
>>> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>>> >
>>> > Mark
>>> >
>>
>>
>>
>> have a look at certdir in the source code. Setting up the ssl tests is
>> not particularly difficult. Perhaps getting our tests working first might
>> shed some light ??
>>
>> Dave Cramer
>>
>> davec(at)postgresintl(dot)com
>> www.postgresintl.com
>>
>>