Despite printing "no peer certificate available" below, the postgresql server serves three certificates (two intermediates and a leaf) as picked up by ssldump.
In this case it is the client side that is triggering the handshake failure, not the server. The client side refuses to add the cause of the handshake failure to the error message, which is definitely a bug. postgres@sql02:~$ openssl s_client -verify 10 -CAfile .postgresql/root.crt -key .postgresql/postgresql.key -cert .postgresql/postgresql.crt -connect sql01:5432 -servername sql01 verify depth is 10 CONNECTED(00000003) 139930468939416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 379 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1510188432 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1612711 Title: TLS negation fails Status in openssl package in Ubuntu: Confirmed Bug description: This seems like a duplicate of #965371, however that is marked fixed, so I don't know. I'm running 16.04.1. I'm setting up OpenLDAP with TLS. I've followed the instructions at https://help.ubuntu.com/lts/serverguide/openldap- server.html#openldap-tls, and test with the command openssl s_client -connect my.server.com:389 -showcerts and I get the error: 140668035487384:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1612711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp