Re: Misconfiguration on SSL for download.postgresql.org ?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Laurenz Albe <[email protected]>
To: Frank Büttner <[email protected]>
To: [email protected]
Subject: Re: Misconfiguration on SSL for download.postgresql.org ?
Date: Thu, 23 Nov 2023 09:32:58 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

I think this had better go to the pgsql-www list.

Yours,
Laurenz Albe

On Thu, 2023-11-23 at 09:21 +0100, Frank Büttner wrote:
> since some day's all our servers can't download updates for the RPM 
> packages of PostgreSQL.
> 
> Error:
> Errors during downloading metadata for repository 'pgdg-common':
>    - Curl error (35): SSL connect error for 
> https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml 
> [error:0A000410:SSL routines::sslv3 alert handshake failure]
> Fehler: Failed to download metadata for repo 'pgdg-common': Cannot 
> download repomd.xml: Cannot download repodata/repomd.xml: All mirrors 
> were tried
> 
> After checking the site via nmap:
> nmap -p 443 download.postgresql.org  --script ssl-enum-ciphers
> >   TLSv1.3:
> >     ciphers:
> >       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
> >       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
> >       TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A
> 
> 
> I found the problem, the "x25519" ciphers are missing.
> >   TLSv1.3:
> >     ciphers:
> >       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
> >       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
> 
> 
> Which are need on systems where the NIST curves are blocked for security 
> reasons.
> 
> 
> So please re enable the x25519 curve.

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Misconfiguration on SSL for download.postgresql.org ?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox