[7.3] can't connect with SSL
I just upgraded my server from 7.2.1 to 7.3 last night, and can no longer
connect over SSL (unencrypted connections still work ok, but I really need
SSL). I get the following error messages when I try to connect:
psql (PostgreSQL client) 7.2.1
psql: could not establish SSL connection: No SSL error reported
serverlog:
FATAL: failed to initialize SSL connection: wrong version number
I have the same version of openssl on both the client and server
machines. Both are running Debian 3.0, with these libs:
- libssl-dev 0.9.6c-2.woody SSL development libraries, header files
- libssl0.9.6 0.9.6c-2.woody SSL shared libraries
- openssl 0.9.6c-2.woody Secure Socket Layer (SSL) binary and related
My server configuration is like so (everything else is default):
pg_hba.conf:
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all crypt
hostssl all all 0.0.0.0 0.0.0.0 md5
postgresql.conf:
tcpip_socket = true
ssl = true
It was of course also configured for use with SSL:
/configure --with-perl --with-openssl=/usr/include/openssl
checking for SSL_library_init in -lssl... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking openssl/err.h usability... yes
checking openssl/err.h presence... yes
checking for openssl/err.h... yes
Now it sounds to me like this is an SSL handshake problem, but I don't
see why, because I have exactly the same version of openssl on both the
client and server machines. On my client machine, I still have v7.2.1
of 'psql' (the client binary) as that's what came bundled with my
operating system. I'm fairly certain that's not what's causing the
problem though (or is it?)
We did overhaul the SSL code for 7.3, and I was able to get it working
using OpenSSL 0.9.6e 30 Jul 2002. Have you read the new SSL
documentation in 7.3?
---------------------------------------------------------------------------
valerian wrote:
I just upgraded my server from 7.2.1 to 7.3 last night, and can no longer
connect over SSL (unencrypted connections still work ok, but I really need
SSL). I get the following error messages when I try to connect:psql (PostgreSQL client) 7.2.1
psql: could not establish SSL connection: No SSL error reportedserverlog:
FATAL: failed to initialize SSL connection: wrong version numberI have the same version of openssl on both the client and server
machines. Both are running Debian 3.0, with these libs:
- libssl-dev 0.9.6c-2.woody SSL development libraries, header files
- libssl0.9.6 0.9.6c-2.woody SSL shared libraries
- openssl 0.9.6c-2.woody Secure Socket Layer (SSL) binary and relatedMy server configuration is like so (everything else is default):
pg_hba.conf:
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all crypt
hostssl all all 0.0.0.0 0.0.0.0 md5postgresql.conf:
tcpip_socket = true
ssl = trueIt was of course also configured for use with SSL:
/configure --with-perl --with-openssl=/usr/include/openssl
checking for SSL_library_init in -lssl... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking openssl/err.h usability... yes
checking openssl/err.h presence... yes
checking for openssl/err.h... yesNow it sounds to me like this is an SSL handshake problem, but I don't
see why, because I have exactly the same version of openssl on both the
client and server machines. On my client machine, I still have v7.2.1
of 'psql' (the client binary) as that's what came bundled with my
operating system. I'm fairly certain that's not what's causing the
problem though (or is it?)---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073On Fri, Dec 06, 2002 at 12:44:13PM -0500, Bruce Momjian wrote:
We did overhaul the SSL code for 7.3, and I was able to get it working
using OpenSSL 0.9.6e 30 Jul 2002. Have you read the new SSL
documentation in 7.3?
Ah, so I must be using an outdated openssl then. I had read the INSTALL
file before compiling v7.3, but it didn't mention anything beyond making
sure you have a full openssl installation (with headers and all that).
I checked the new docs, but the SSL section doesn't say much beyond how
to create certificates and setup your pg_hba.conf. The SSH tunnel idea
works fine though. Guess I'll run with that for now. It's not as nice
as having 'hostssl' as the only remote connection option (since it
doesn't enforce encryption), but oh well.
valerian wrote:
On Fri, Dec 06, 2002 at 12:44:13PM -0500, Bruce Momjian wrote:
We did overhaul the SSL code for 7.3, and I was able to get it working
using OpenSSL 0.9.6e 30 Jul 2002. Have you read the new SSL
documentation in 7.3?Ah, so I must be using an outdated openssl then. I had read the INSTALL
file before compiling v7.3, but it didn't mention anything beyond making
sure you have a full openssl installation (with headers and all that).
We didn't know what OpenSSL releases it supported.
I checked the new docs, but the SSL section doesn't say much beyond how
to create certificates and setup your pg_hba.conf. The SSH tunnel idea
Yep, that was all we have.
works fine though. Guess I'll run with that for now. It's not as nice
as having 'hostssl' as the only remote connection option (since it
doesn't enforce encryption), but oh well.
I had hostssl working here on BSD/OS. One issue we had was that he went
with TLS encryption, which he said was fairly new but is the best one to
use. I got it working here so I figured it was OK. It would be
interesting to know if a newer version fixes it for you.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
valerian wrote:
Ah, so I must be using an outdated openssl then.
An update would be a good idea in any case. IIRC, there are known
security loopholes in all openssl releases up to very recent times.
I'm using 0.9.6g here; I am pretty sure 0.9.6c is vulnerable,
not sure about 0.9.6e. See www.openssl.org for details.
regards, tom lane
On Fri, Dec 06, 2002 at 02:07:13PM -0500, Bruce Momjian wrote:
I had hostssl working here on BSD/OS. One issue we had was that he went
with TLS encryption, which he said was fairly new but is the best one to
use. I got it working here so I figured it was OK. It would be
interesting to know if a newer version fixes it for you.
I have a feeling that'll fix the problem, but alas I don't have time to
compile/install a more recent version of openssl at the moment (pretty
swamped now, been working 16 hour days). But I'm pretty curious about
this myself, so I'll let ya'll know how it turns out.
On Fri, Dec 06, 2002 at 03:39:36PM -0500, Tom Lane wrote:
An update would be a good idea in any case. IIRC, there are known
security loopholes in all openssl releases up to very recent times.
I'm using 0.9.6g here; I am pretty sure 0.9.6c is vulnerable,
not sure about 0.9.6e. See www.openssl.org for details.
Actually it's quite safe, because it's from a Debian package and they
often back-port serious/security-related bug fixes. Weird, I know,
but they don't like to add untested software to their 'stable' branch
if at all possible. They prefer applying the patches themselves.