Re: buildfarm server suddenly not talking to old SSL stacks?

On Tue, Jul 17, 2018 at 7:29 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Tue, Jul 17, 2018 at 7:04 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> Also, on prairiedog's host, this is what I get for the https case:
> >>
> >> $ perl -MLWP::Simple -MLWP::Protocol::https -e 'LWP::Simple::getprint("
> >> https://buildfarm.postgresql.org/branches_of_interest.txt");'
> >> 500 Can't connect to buildfarm.postgresql.org:443 <URL:
> https://buildfarm.
> >> postgresql.org/branches_of_interest.txt>
> >>
> >> which isn't terribly informative but it doesn't look like an SSL
> >> certificate failure.
>
> > That one I believe more in since it could be because of SSL issues. What
> do
> > you get with curl on that one?
>
> Both machines show the same behavior with curl:
>
> $ curl https://buildfarm.postgresql.org/branches_of_interest.txt
> curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> protocol version
>

Ah. Some googling shows that does seem to indicate an old version of
OpenSSL.

The old config rejected sslv2 and sslv3, but allowed tlsv1.

The new one refuses both tlsv1 and tlsv1.1, allowing only tlsv1.2.

As a check if this might be it, I have at least temporarily removed that
restriction. Can you try again now?

> $ curl http://buildfarm.postgresql.org/branches_of_interest.txt
> REL9_3_STABLE
> REL9_4_STABLE
> REL9_5_STABLE
> REL9_6_STABLE
> REL_10_STABLE
> REL_11_STABLE
> HEAD
>
> Now, curl is the OS-supplied one and probably isn't sharing any userspace
> infrastructure at all with prairiedog's Perl stack. On the other hand,
> dromedary is using Apple's perl installation so it's possible that it
> shares root-certificate infrastructure with curl.
>

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>