ssl connection issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

ssl connection issues

Gabriele Bulfon
Hello,
 
I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.
I then created the client certificates and started working with them from a windows client.
 
At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.
 
Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.
 
Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).
I created the pk8 file on the server from the original key used for odbc, with the command:
# openssl pkcs8 -topk8 -in client.key -out client.pk8 -outform DER -nocrypt
placed the pk8 file in %APPDATA%/postgresql and launched my test java connection:
 
Connection con=DriverManager.getConnection("jdbc:postgresql://myhost:5432/mydb?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=require","user","pass");
 
And now I get this:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: decrypt_error
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 
Tried both with jdk1.7 and jdk1.8 and openjdk1.8.
 
Any idea?
Gabriele
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Vladimir Sitnikov
>Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.

Which pgjdbc version are you using?

>it would look for a pk8 file (why this difference?).

I've no idea.

>sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory

It is a default, so you might omit that

>ssl=true&sslmode=require

It is a bit misleading, and I would recommend to stick to sslmode.   ssl=

>Received fatal alert: decrypt_error

It does look like Java side does not support the cipher.
What was the way to create the server certificate?

Could you please list the output of
openssl x509 -in server.crt -text

?

Vladimir
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Dave Cramer-8




On Thu, 13 Sep 2018 at 09:34, Vladimir Sitnikov <[hidden email]> wrote:
>Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.

Which pgjdbc version are you using?

>it would look for a pk8 file (why this difference?).

I've no idea.
As far as I know Java requires a pk8 file 

>sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory

It is a default, so you might omit that

>ssl=true&sslmode=require

It is a bit misleading, and I would recommend to stick to sslmode.   ssl=

>Received fatal alert: decrypt_error

It does look like Java side does not support the cipher.
What was the way to create the server certificate?

Could you please list the output of
openssl x509 -in server.crt -text

?

Vladimir

Dave Cramer

[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Craig Ringer-3
In reply to this post by Gabriele Bulfon
On 13 September 2018 at 20:23, Gabriele Bulfon <[hidden email]> wrote:
Hello,
 
I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.
I then created the client certificates and started working with them from a windows client.
 
At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.
 
Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.
 
Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).

AFAIK it's largely historical, and due to now-lifted limitations in JSSE.

You should probably use sslfactory=org.postgresql.ssl.LibPQFactory and possibly specify explicit paths for the sslcert and sslkey parameters.

This seems to be undocumented, unfortunately.


--
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Gabriele Bulfon
In reply to this post by Gabriele Bulfon
Hi,
 
sorry I'm answering to my own original sent email, because for some unwanted filter I lost the thread emails from the list in my inbox...
 
Vladimir, here is the output from openssl:
 
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=www.company.it/emailAddress=[hidden email]
Validity
Not Before: Sep 11 07:40:57 2018 GMT
Not After : Sep 8 07:40:57 2028 GMT
Subject: C=IT, ST=MI, L=Assago, O=Company S.p.A., CN=server.name.com/emailAddress=[hidden email]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:1e:60:44:76:63:dc:9c:49:c3:d0:69:81:ac:
81:2a:19:28:01:70:9c:c9:d5:0b:22:b9:4c:78:75:
a9:d5:80:18:96:ad:cd:94:cd:cd:a4:36:0f:a6:06:
0f:c7:41:2f:66:43:49:08:53:ff:54:be:ad:bc:02:
76:eb:66:94:40:fa:4e:65:44:37:69:6d:43:62:9a:
5e:8a:46:30:d8:55:af:aa:27:bb:b8:e0:c3:ed:75:
2f:92:11:69:e5:24:c3:e8:d5:a4:92:52:22:b0:8e:
93:0d:57:95:25:e6:c0:c4:42:f8:36:67:fe:bb:d8:
22:51:f4:b3:e9:e8:dc:34:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
Easy-RSA Generated Server Certificate
X509v3 Subject Key Identifier:
B7:82:BB:04:2C:66:7E:78:72:D8:DD:2A:CB:84:A7:A9:8B:52:EB:5B
X509v3 Authority Key Identifier:
keyid:BC:ED:8A:2A:3A:D7:F9:B0:97:9C:18:9A:F5:01:D1:83:EB:32:C2:89
DirName:/C=IT/ST=MI/L=Assago/O=Company S.p.A./CN=www.company.it/emailAddress=[hidden email]
serial:87:84:72:38:BB:2F:30:A2

X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
52:ae:b0:1f:6a:e8:ab:f3:ca:a5:bf:2e:96:75:a6:4a:a7:c1:
32:d0:c6:53:d2:c8:36:d1:00:f6:56:b5:d8:99:65:b0:3b:a1:
11:d6:63:d3:c5:60:5d:69:14:46:b3:10:a7:c5:f1:34:fe:c0:
b5:bc:90:72:c1:2b:ff:c8:e8:3d:54:d5:2a:0c:19:c3:f5:16:
ab:f2:cd:89:4e:eb:f6:b7:5a:36:43:c3:88:11:41:67:31:f8:
15:ad:45:19:50:0d:ec:fd:81:9b:03:47:f4:71:a0:f3:58:b6:
c8:a9:29:12:d9:a7:b3:00:77:d5:2c:7c:2e:de:10:fe:8f:52:
d4:c2
-----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCSVQx
CzAJBgNVBAgTAk1JMQ8wDQYDVQQHEwZBc3NhZ28xGDAWBgNVBAoTD0VuY29kYXRh
IFMucC5BLjEYMBYGA1UEAxMPd3d3LmVuY29kYXRhLml0MSIwIAYJKoZIhvcNAQkB
FhNlbmNkYXRhQGVuY29kYXRhLml0MB4XDTE4MDkxMTA3NDA1N1oXDTI4MDkwODA3
NDA1N1owgYcxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNz
YWdvMRgwFgYDVQQKEw9FbmNvZGF0YSBTLnAuQS4xHDAaBgNVBAMTE2lzY29ib2wu
c29uaWNsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2VuY2RhdGFAZW5jb2RhdGEuaXQw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJkeYER2Y9ycScPQaYGsgSoZKAFw
nMnVCyK5THh1qdWAGJatzZTNzaQ2D6YGD8dBL2ZDSQhT/1S+rbwCdutmlED6TmVE
N2ltQ2KaXopGMNhVr6onu7jgw+11L5IRaeUkw+jVpJJSIrCOkw1XlSXmwMRC+DZn
/rvYIlH0s+no3DTrAgMBAAGjggFUMIIBUDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIB
AQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZl
ciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUt4K7BCxmfnhy2N0qy4SnqYtS61swgbgG
A1UdIwSBsDCBrYAUvO2KKjrX+bCXnBia9QHRg+sywomhgYmkgYYwgYMxCzAJBgNV
BAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UEBxMGQXNzYWdvMRgwFgYDVQQKEw9F
bmNvZGF0YSBTLnAuQS4xGDAWBgNVBAMTD3d3dy5lbmNvZGF0YS5pdDEiMCAGCSqG
SIb3DQEJARYTZW5jZGF0YUBlbmNvZGF0YS5pdIIJAIeEcji7LzCiMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBSrrAf
auir88qlvy6WdaZKp8Ey0MZT0sg20QD2VrXYmWWwO6ER1mPTxWBdaRRGsxCnxfE0
/sC1vJBywSv/yOg9VNUqDBnD9Rar8s2JTuv2t1o2Q8OIEUFnMfgVrUUZUA3s/YGb
A0f0caDzWLbIqSkS2aezAHfVLHwu3hD+j1LUwg==
-----END CERTIFICATE-----






Da: Gabriele Bulfon <[hidden email]>
A: [hidden email]
Data: 13 settembre 2018 14.23.45 CEST
Oggetto: ssl connection issues


Hello,
 
I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.
I then created the client certificates and started working with them from a windows client.
 
At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.
 
Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.
 
Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).
I created the pk8 file on the server from the original key used for odbc, with the command:
# openssl pkcs8 -topk8 -in client.key -out client.pk8 -outform DER -nocrypt
placed the pk8 file in %APPDATA%/postgresql and launched my test java connection:
 
Connection con=DriverManager.getConnection("jdbc:postgresql://myhost:5432/mydb?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=require","user","pass");
 
And now I get this:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: decrypt_error
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 
Tried both with jdk1.7 and jdk1.8 and openjdk1.8.
 
Any idea?
Gabriele
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Dave Cramer-8
In reply to this post by Craig Ringer-3



On Thu, 13 Sep 2018 at 11:10, Craig Ringer <[hidden email]> wrote:
On 13 September 2018 at 20:23, Gabriele Bulfon <[hidden email]> wrote:
Hello,
 
I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.
I then created the client certificates and started working with them from a windows client.
 
At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.
 
Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.
 
Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).

AFAIK it's largely historical, and due to now-lifted limitations in JSSE.

You should probably use sslfactory=org.postgresql.ssl.LibPQFactory and possibly specify explicit paths for the sslcert and sslkey parameters.

This seems to be undocumented, unfortunately.

the default is LibPQFactory and it is fairly well documented.



If this is lacking please let me know. I will fix it.

Thanks
Dave Cramer

[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Craig Ringer-3

On 14 September 2018 at 18:20, Dave Cramer <[hidden email]> wrote:



On Thu, 13 Sep 2018 at 11:10, Craig Ringer <[hidden email]> wrote:
On 13 September 2018 at 20:23, Gabriele Bulfon <[hidden email]> wrote:
Hello,
 
I recently configured Postgresql 9.0.9 with SSL only "on" and all its needed server certificates.
I then created the client certificates and started working with them from a windows client.
 
At first I used them with tools like Navicat, just specified the 3 certs files (key,crt and root.crt) in the ssl pane, worked fine.
 
Then I tried with ODBC, placed the files in %APPDATA%/postgresql with correct names (postgresql.key, postgresql.crt, root.crt), created the connection and tested it, worked fine.
 
Last I tried with jdbc, thinking it would have been so easy: I'm fighting for 2 days with lots of different issues.
After some messing, I also finally discovered that, different from odbc, it would look for a pk8 file (why this difference?).

AFAIK it's largely historical, and due to now-lifted limitations in JSSE.

You should probably use sslfactory=org.postgresql.ssl.LibPQFactory and possibly specify explicit paths for the sslcert and sslkey parameters.

This seems to be undocumented, unfortunately.

the default is LibPQFactory and it is fairly well documented.



Nope, apparently the only problem is my reading ability. Sorry.

That does make me wonder why Gabriele is having this issue though.



--
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Mark Rotteveel
On 2018-09-17 10:22, Craig Ringer wrote:

> On 14 September 2018 at 18:20, Dave Cramer <[hidden email]> wrote:
>
>> On Thu, 13 Sep 2018 at 11:10, Craig Ringer <[hidden email]>
>> wrote:
>>
>> On 13 September 2018 at 20:23, Gabriele Bulfon <[hidden email]>
>> wrote:
>>
>> Hello,
>>
>> I recently configured Postgresql 9.0.9 with SSL only "on" and all
>> its needed server certificates.
>> I then created the client certificates and started working with them
>> from a windows client.
>>
>> At first I used them with tools like Navicat, just specified the 3
>> certs files (key,crt and root.crt) in the ssl pane, worked fine.
>>
>> Then I tried with ODBC, placed the files in %APPDATA%/postgresql
>> with correct names (postgresql.key, postgresql.crt, root.crt),
>> created the connection and tested it, worked fine.
>>
>> Last I tried with jdbc, thinking it would have been so easy: I'm
>> fighting for 2 days with lots of different issues.
>> After some messing, I also finally discovered that, different from
>> odbc, it would look for a pk8 file (why this difference?).
>>
>> AFAIK it's largely historical, and due to now-lifted limitations in
>> JSSE.
>>
>> You should probably use sslfactory=org.postgresql.ssl.LibPQFactory
>> and possibly specify explicit paths for the sslcert and sslkey
>> parameters.
>>
>> This seems to be undocumented, unfortunately.
>
> the default is LibPQFactory and it is fairly well documented.
>
> https://jdbc.postgresql.org/documentation/head/connect.html#connection-parameters
> [1]
>
> Nope, apparently the only problem is my reading ability. Sorry.
>
> That does make me wonder why Gabriele is having this issue though.

Given the age of PostgreSQL 9.0, could it be a SSL/TLS version problem,
given all the default restrictions to supported SSL/TLS versions and
supported cipher suites in recent Java version?

Mark

Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Gabriele Bulfon
That may be a possibility, but given that I cannot upgrade at the moment, how can I check this and maybe change the required cipher to match?
 
Gabriele




----------------------------------------------------------------------------------

Da: Mark Rotteveel <[hidden email]>
A: Craig Ringer <[hidden email]>
Cc: [hidden email]
Data: 17 settembre 2018 11.18.30 CEST
Oggetto: Re: ssl connection issues

On 2018-09-17 10:22, Craig Ringer wrote:

> On 14 September 2018 at 18:20, Dave Cramer <[hidden email]> wrote:
>
>> On Thu, 13 Sep 2018 at 11:10, Craig Ringer <[hidden email]>
>> wrote:
>>
>> On 13 September 2018 at 20:23, Gabriele Bulfon <[hidden email]>
>> wrote:
>>
>> Hello,
>>
>> I recently configured Postgresql 9.0.9 with SSL only "on" and all
>> its needed server certificates.
>> I then created the client certificates and started working with them
>> from a windows client.
>>
>> At first I used them with tools like Navicat, just specified the 3
>> certs files (key,crt and root.crt) in the ssl pane, worked fine.
>>
>> Then I tried with ODBC, placed the files in %APPDATA%/postgresql
>> with correct names (postgresql.key, postgresql.crt, root.crt),
>> created the connection and tested it, worked fine.
>>
>> Last I tried with jdbc, thinking it would have been so easy: I'm
>> fighting for 2 days with lots of different issues.
>> After some messing, I also finally discovered that, different from
>> odbc, it would look for a pk8 file (why this difference?).
>>
>> AFAIK it's largely historical, and due to now-lifted limitations in
>> JSSE.
>>
>> You should probably use sslfactory=org.postgresql.ssl.LibPQFactory
>> and possibly specify explicit paths for the sslcert and sslkey
>> parameters.
>>
>> This seems to be undocumented, unfortunately.
>
> the default is LibPQFactory and it is fairly well documented.
>
> https://jdbc.postgresql.org/documentation/head/connect.html#connection-parameters
> [1]
>
> Nope, apparently the only problem is my reading ability. Sorry.
>
> That does make me wonder why Gabriele is having this issue though.

Given the age of PostgreSQL 9.0, could it be a SSL/TLS version problem,
given all the default restrictions to supported SSL/TLS versions and
supported cipher suites in recent Java version?

Mark



Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Mark Rotteveel
On 2018-09-17 11:23, Gabriele Bulfon wrote:
> That may be a possibility, but given that I cannot upgrade at the
> moment, how can I check this and maybe change the required cipher to
> match?

Debugging SSL problems is not really something I do regularly, but you
may want to see if changing the settings in the java.security policy
helps. Settings to try are:

jdk.tls.disabledAlgorithms
jdk.certpath.disabledAlgorithms

For reference:

Java 8 Update 31, disabled SSLv3:
http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
Java 8 Update 51, disabled some cipher suites, and limitations for DH
keys where added:
http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
similar for Java 8 Update 60:
http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
Java 8 update 71 disabled MD5 hash validation of certificates
Java 8 update 121 added restrictions on DSA keysize:
http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
Java 8 update 161 added limitations for DH keys, made some changes to
certificate validation and disabled a number of cipher suites:
http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
Java 8 update 171 disabled some ciphersuites:
http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html

Mark

Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Alexander Kjäll
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:

> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>


Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Dave Cramer-8



On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <[hidden email]> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>



have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??

Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Gabriele Bulfon
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
 
Postgres logs "could not accept SSL connection: ccs received early"
 
The Java code throws the exception:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 






Da: Dave Cramer <[hidden email]>
A: Alexander Kjäll <[hidden email]>
Cc: [hidden email]
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues



 

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <[hidden email]> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
 
 
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
 
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Dave Cramer-8
Hi Gabriele,

Can you share your entire setup? How you are creating the certs, etc ?


On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <[hidden email]> wrote:
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
 
Postgres logs "could not accept SSL connection: ccs received early"
 
The Java code throws the exception:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 






Da: Dave Cramer <[hidden email]>
A: Alexander Kjäll <[hidden email]>
Cc: [hidden email]
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues



 

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <[hidden email]> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
 
 
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
 
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Gabriele Bulfon
I used easy-rsa, same tools I use for OpenVPN.
Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:
 
. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
 
copied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.
 
Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.
They all works great on both Navicat and ODBC.
 
Gabriele





Da: Dave Cramer <[hidden email]>
A: Gabriele Bulfon <[hidden email]>
Cc: Alexander Kjäll <[hidden email]>[hidden email]
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issues


Hi Gabriele,
 
Can you share your entire setup? How you are creating the certs, etc ?
 

On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <[hidden email]> wrote:
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
 
Postgres logs "could not accept SSL connection: ccs received early"
 
The Java code throws the exception:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 






Da: Dave Cramer <[hidden email]>
A: Alexander Kjäll <[hidden email]>
Cc: [hidden email]
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues



 

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <[hidden email]> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
 
 
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
 
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Dave Cramer-8
The java client needs the server crt as well. Did you provide that to java ?

On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <[hidden email]> wrote:
I used easy-rsa, same tools I use for OpenVPN.
Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:
 
. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
 
copied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.
 
Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.
They all works great on both Navicat and ODBC.
 
Gabriele





Da: Dave Cramer <[hidden email]>
A: Gabriele Bulfon <[hidden email]>
Cc: Alexander Kjäll <[hidden email]>[hidden email]
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issues


Hi Gabriele,
 
Can you share your entire setup? How you are creating the certs, etc ?
 

On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <[hidden email]> wrote:
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
 
Postgres logs "could not accept SSL connection: ccs received early"
 
The Java code throws the exception:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 






Da: Dave Cramer <[hidden email]>
A: Alexander Kjäll <[hidden email]>
Cc: [hidden email]
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues



 

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <[hidden email]> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
 
 
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
 
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Gabriele Bulfon
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.
These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.
Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.
 
Is there any way to log more stuff on the server postgres.log about the ssl handshake?
 
Gabriele





Da: Dave Cramer <[hidden email]>
A: Gabriele Bulfon <[hidden email]>
Cc: Alexander Kjäll <[hidden email]>[hidden email]
Data: 18 settembre 2018 16.06.14 CEST
Oggetto: Re: ssl connection issues


The java client needs the server crt as well. Did you provide that to java ?

On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <[hidden email]> wrote:
I used easy-rsa, same tools I use for OpenVPN.
Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:
 
. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
 
copied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.
 
Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.
They all works great on both Navicat and ODBC.
 
Gabriele





Da: Dave Cramer <[hidden email]>
A: Gabriele Bulfon <[hidden email]>
Cc: Alexander Kjäll <[hidden email]>[hidden email]
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issues


Hi Gabriele,
 
Can you share your entire setup? How you are creating the certs, etc ?
 

On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <[hidden email]> wrote:
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
 
Postgres logs "could not accept SSL connection: ccs received early"
 
The Java code throws the exception:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 






Da: Dave Cramer <[hidden email]>
A: Alexander Kjäll <[hidden email]>
Cc: [hidden email]
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues



 

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <[hidden email]> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
 
 
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
 
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Dave Cramer-8



On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <[hidden email]> wrote:
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.
These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.
Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.
 
Is there any way to log more stuff on the server postgres.log about the ssl handshake?

I'm sure there is but I don't know how. The server is not my domain.

Try connecting with psql. If you can connect with that then JDBC should be able to connect. 

 
Gabriele





Da: Dave Cramer <[hidden email]>
A: Gabriele Bulfon <[hidden email]>
Cc: Alexander Kjäll <[hidden email]>[hidden email]
Data: 18 settembre 2018 16.06.14 CEST
Oggetto: Re: ssl connection issues


The java client needs the server crt as well. Did you provide that to java ?

On Tue, 18 Sep 2018 at 10:03, Gabriele Bulfon <[hidden email]> wrote:
I used easy-rsa, same tools I use for OpenVPN.
Just cloned the easy-rsa tools to a specific new folder configured for Postgres and ran in sequence:
 
. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server server
 
copied server.key, server.crt and ca.crt to my pgdata as server.key, server.crt and root.crt , configured postgres.conf with the server cert names and restarted postgres.
 
Then I built the client certificate with "./build-key client" speicifying the needed postgres user as dn.
They all works great on both Navicat and ODBC.
 
Gabriele





Da: Dave Cramer <[hidden email]>
A: Gabriele Bulfon <[hidden email]>
Cc: Alexander Kjäll <[hidden email]>[hidden email]
Data: 18 settembre 2018 15.53.20 CEST
Oggetto: Re: ssl connection issues


Hi Gabriele,
 
Can you share your entire setup? How you are creating the certs, etc ?
 

On Tue, 18 Sep 2018 at 09:42, Gabriele Bulfon <[hidden email]> wrote:
I had a chance to clone the illumos zone to a separate server and upgrade postgres to latest 10.5.
The results are the same:
 
Postgres logs "could not accept SSL connection: ccs received early"
 
The Java code throws the exception:
 
Exception in thread "main" org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
set 18, 2018 3:35:15 PM org.postgresql.Driver connect
BUONO: Connecting with URL: jdbc:postgresql://x.x.x.x:5432/dbname?ssl=true&loggerLevel=DEBUG&sslfactory=org.postgresql.ssl.LibPQFactory&sslmode=require&sslkey=C:\Users\user\AppData\Roaming\postgresql\client.key&sslcert=C:\Users\user\AppData\Roaming\postgresql\client.crt&sslrootcert=C:\Users\user\AppData\Roaming\postgresql\root.crt
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection <init>
BUONO: PostgreSQL JDBC Driver 42.2.5.jre7
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setDefaultFetchSize
BUONO: setDefaultFetchSize = 0
set 18, 2018 3:35:15 PM org.postgresql.jdbc.PgConnection setPrepareThreshold
BUONO: setPrepareThreshold = 5
set 18, 2018 3:35:15 PM org.postgresql.core.v3.ConnectionFactoryImpl openConnectionImpl
BUONO: Trying to establish a protocol version 3 connection to x.x.x.x:5432
set 18, 2018 3:35:15 PM org.postgresql.ssl.MakeSSL convert
BUONO: converting regular socket connection to ssl
set 18, 2018 3:35:16 PM org.postgresql.Driver connect
BUONO: Connection error:
org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:247)
at com.sonicle.aliseo.server.TestPostgresSSL.main(TestPostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more
 






Da: Dave Cramer <[hidden email]>
A: Alexander Kjäll <[hidden email]>
Cc: [hidden email]
Data: 17 settembre 2018 12.38.18 CEST
Oggetto: Re: ssl connection issues



 

On Mon, 17 Sep 2018 at 06:10, Alexander Kjäll <[hidden email]> wrote:
Another avenue for debugging would be to get a free "real" certificate
from https://letsencrypt.org/ and check if that works.

That way you can see if it's something in your certificate creation
process that causes trouble.

//Alexander Kjäll

On 17. sep. 2018 11:56, Mark Rotteveel wrote:
> On 2018-09-17 11:23, Gabriele Bulfon wrote:
>> That may be a possibility, but given that I cannot upgrade at the
>> moment, how can I check this and maybe change the required cipher to
>> match?
>
> Debugging SSL problems is not really something I do regularly, but you
> may want to see if changing the settings in the java.security policy
> helps. Settings to try are:
>
> jdk.tls.disabledAlgorithms
> jdk.certpath.disabledAlgorithms
>
> For reference:
>
> Java 8 Update 31, disabled SSLv3:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html,
> Java 8 Update 51, disabled some cipher suites, and limitations for DH
> keys where added:
> http://www.oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html,
> similar for Java 8 Update 60:
> http://www.oracle.com/technetwork/java/javase/8u60-relnotes-2620227.html
> Java 8 update 71 disabled MD5 hash validation of certificates
> Java 8 update 121 added restrictions on DSA keysize:
> http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
> Java 8 Update 141 disabled SHA-1 hashes for the certificate chain:
> http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html
> Java 8 update 161 added limitations for DH keys, made some changes to
> certificate validation and disabled a number of cipher suites:
> http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
> Java 8 update 171 disabled some ciphersuites:
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>
> Mark
>
 
 
have a look at certdir in the source code. Setting up the ssl tests is not particularly difficult. Perhaps getting our tests working first might shed some light ??
 
Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

zloster
On 18.09.2018 18:27, Dave Cramer wrote:

On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <[hidden email]> wrote:
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.
These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.
Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.
 
Is there any way to log more stuff on the server postgres.log about the ssl handshake?

I'm sure there is but I don't know how. The server is not my domain.

Try connecting with psql. If you can connect with that then JDBC should be able to connect. 

Hi to all,
IMO it will be better to inspect the SSL/TLS handshake at the client - the machine that is initiating the connection to the PostgreSQL server through the JDBC driver.

Here are some links with the basic stuff about debugging the SSL/TLS connections with the JVM:
  1. https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https - this is an introduction document. It points to the following two pages. The first is describing what debug tools are available and the second shows how to read the debug output:
  2. https://access.redhat.com/solutions/973783 - same as the above but in Q&A style
I've used the debug output once - I've needed to investigate why communication with test HTTPS endpoint is working from a browser but not from a Java 8 program. After nearly one day of looking at the connection logs the problem turned out to be in the certificate chain - the browser was happy with the intermediate certificates, but the JVM was not.

Best regards,
zloster

Reply | Threaded
Open this post in threaded view
|

Re: ssl connection issues

Gabriele Bulfon-2
Thanks, I tried enabling all the client debug infos, but didn't get much from them.
I will try to create certs from scratch, using the openssl tool instead of easy-rsa, and see if something changes.
 
Gabriele


-= Sent using Webtop 5 =-

Gabriele Bulfon - Sonicle S.r.l.

Tel +39 028246016 - Fax +39 028243880
Strada 6, Palazzo A13 - 20090 - Assago Milanofiori - MI
http://www.sonicle.com




Da: zloster <[hidden email]>
A: Dave Cramer <[hidden email]>Gabriele Bulfon <[hidden email]>
Cc: Alexander Kjäll <[hidden email]>[hidden email]
Data: 19 settembre 2018 9.21.03 CEST
Oggetto: Re: ssl connection issues


On 18.09.2018 18:27, Dave Cramer wrote:

On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <[hidden email]> wrote:
The only server cert known to me that is needed to the client is the root.crt (the ca cert) of the server used to sign the client cert.
These three files are all that is needed to the odbc driver, to the native navicat dll connection, and to any other certs-based ssl connection such as openvpn.
Actually the jdbc code is not complaining about the certs (if I remove any of them it will complain), something is going wrong during the ssl handshake that I cannot understand.
 
Is there any way to log more stuff on the server postgres.log about the ssl handshake?
 
I'm sure there is but I don't know how. The server is not my domain.
 
Try connecting with psql. If you can connect with that then JDBC should be able to connect. 
 
Hi to all,
IMO it will be better to inspect the SSL/TLS handshake at the client - the machine that is initiating the connection to the PostgreSQL server through the JDBC driver.

Here are some links with the basic stuff about debugging the SSL/TLS connections with the JVM:
  1. https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https - this is an introduction document. It points to the following two pages. The first is describing what debug tools are available and the second shows how to read the debug output:
  2. https://access.redhat.com/solutions/973783 - same as the above but in Q&A style
I've used the debug output once - I've needed to investigate why communication with test HTTPS endpoint is working from a browser but not from a Java 8 program. After nearly one day of looking at the connection logs the problem turned out to be in the certificate chain - the browser was happy with the intermediate certificates, but the JVM was not.

Best regards,
zloster
12