| From: | pavel(dot)l(dot)kirichenko(at)gmail(dot)com |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | BUG #14625: Error "sslv3 alert certificate expired" with valid certificate |
| Date: | 2017-04-18 14:29:19 |
| Message-ID: | 20170418142919.24369.5931@wrigleys.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 14625
Logged by: Pavel Kirichenko
Email address: pavel(dot)l(dot)kirichenko(at)gmail(dot)com
PostgreSQL version: 9.6.2
Operating system: FreeBSD 11.0-RELEASE-p9 amd64
Description:
Version OpenSSL 1.0.2k_1,1
postgresql.conf
ssl = true
ssl_ciphers =
'kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2'
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'prime256v1'
ssl_cert_file = './ssl/server.crt'
ssl_key_file = './ssl/server.key'
ssl_ca_file = './ssl/root.crt'
ssl_crl_file = './ssl/root.crl'
pg_hba.conf
# TYPE DATABASE USER ADDRESS
METHOD
# "local" is for Unix domain socket connections only
local all postgres
md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
hostssl all all 0.0.0.0/0 md5
clientcert=1
# IPv6 local connections:
host all all ::1/128 md5
hostssl all all ::/0 md5
clientcert=1
I tryed to connect from the command line interface:
$ psql --host=192.168.1.3 --port=6543 --username=postgres
--dbname=template1
psql: SSL error: certificate verify failed
So I had such log message.
LOG: could not accept SSL connection: sslv3 alert certificate expired
Then I checked the certificates.
[pavel(dot)l(dot)kirichenko(at)rat-3o3r3d3 /usr/home/pavel.l.kirichenko/.postgresql]$
openssl x509 -in ./postgresql.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Mar 20 13:05:04 2017 GMT
Not After : Mar 18 13:05:04 2027 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Time on the server is:
$ date
monday, 17 april 2017 г. 17:45:37 (+04)
Apparently, the certificate has not expired.
You can say that the problem is in OpenSSL. I checked it. With this
certificates I configured the test nginx site on the same server — it works
properly.
The same error is repeated everywhere: psql, pgAdmin, connection via
dotConnect driver.
Also I tested PostgreSQL version 9.4.11, I tryed to reduce key length to 512
bit and even psql on Ubuntu 14.04.1 with no success.
Certificates:
server https://mega.nz/#!j9NTlCgD!6Rps9gF5s9b4qSkcliMQzKowWBDEMT5q28WqnVsJpAo
client https://mega.nz/#!DltUWYia!lvR5BfKlxTS0TK0gYNHTsZrhjUngTTRQRkTwWsf5V6c
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nico Williams | 2017-04-19 19:32:13 | pg_dump(1) failures when concurrently refreshing mat views |
| Previous Message | Tomasz Szypowski | 2017-04-18 13:57:15 | Re: could not fork autovacuum worker process: No error |