> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Graham Leggett > Sent: Thursday, November 09, 2017 06:18 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL > routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
> On 09 Nov 2017, at 4:17 AM, Michael Wojcik <michael.woj...@microfocus.com> > wrote: > > Yeah. TLSv1.2, no cipher. My guess is the server is allowing the 1.2 > > protocol level but not > > supporting any of the 1.2 suites. > Does this definitely mean no cipher, or could it mean “I failed earlier in > the process before > I took note of the cipher, like with the no peer certificate available"? Well, in this case it seems to mean "the server and I agreed on a cipher suite, but the server didn't do the thing it needed to do to make that suite usable". > > Hmm. This claims they agreed on TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Maybe > > no ECC curves in common for ECDHE Kx? > This is openssl v1.0.1f (ubuntu xenial) talking to openssl v1.0.1f (ubuntu > xenial), although > trying openssl as shipped by MacOS Sierra on the client side gives the same > result. At least prior to 1.1.0, to use ECC in OpenSSL the application has to make some additional calls. (I don't remember offhand how much of this goes away in the 1.1.0 API.) So it's quite possible for two applications using stock OpenSSL 1.0.x to fail to use an ECC suite. > I set the ciphers explicitly on the server side to DEFAULT and got the same > result (eliminating > whatever weird settings postgresql-on-ubuntu might have as a default). DEFAULT includes ECC suites. You should try something like DEFAULT:!ECDHE:!ECDH to eliminate the ECC Kx suites. > When openssl v1.0.2m tries to connect to postgresql running openssl v1.0.1f > (ubuntu xenial), I get different behaviour: > ... > 2017-11-09 11:01:19 UTC [12025-1] [unknown]@[unknown] LOG: invalid length of > startup packet Offhand, I don't know what the problem is here. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users