Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r658y-00H4XM-F4 for pgsql-www@arkaria.postgresql.org; Thu, 23 Nov 2023 08:33:04 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1r658x-00GKQw-4A for pgsql-www@arkaria.postgresql.org; Thu, 23 Nov 2023 08:33:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r658w-00GKQm-TV for pgsql-www@lists.postgresql.org; Thu, 23 Nov 2023 08:33:02 +0000 Received: from mail-wm1-x334.google.com ([2a00:1450:4864:20::334]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1r658u-006wf8-EU for pgsql-www@lists.postgresql.org; Thu, 23 Nov 2023 08:33:01 +0000 Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-4094301d505so3467065e9.2 for ; Thu, 23 Nov 2023 00:33:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec-at.20230601.gappssmtp.com; s=20230601; t=1700728379; x=1701333179; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:autocrypt :references:in-reply-to:date:to:from:subject:message-id:from:to:cc :subject:date:message-id:reply-to; bh=Won088oxrwcySYrtL5FL+llR7vbu6w3jR6M0kKNVzD4=; b=PTbiA086ySmqS5Jp0JpnzgxSOpbYcl9I3YbugeV4iZfrr1Ld5SOix6SxEJYvmYIIED 36P/90qsT1Tyt69hpe22LgMSQ7Ho5xZ2+/MnqjhO9vMFbcJv5xBeCFNTusDZzx51sYSb nzQNCbQHiMiLuO9Z6Ee8NTwvfiAvNLtKYhHXz1XdWgI+d74r8ZBb3h9r2qyW8AK+bNhc ON6JTvfBXJ0CNPvB746MTVHPps9AJO/3DR8sfiQ+Qj9f4+QeMbJ0w05EJOlfX4qvBve7 nEivwv0nONih6HCeAlqzVSPuDksHKNDZwwoDeSoUSOzPOk5+zaQaI85AFyowIiw3jt4r eNCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700728379; x=1701333179; h=mime-version:user-agent:content-transfer-encoding:autocrypt :references:in-reply-to:date:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Won088oxrwcySYrtL5FL+llR7vbu6w3jR6M0kKNVzD4=; b=mIq9f8lcc6w644st2oqjycxR0vBk1icO+Vd/Pbx1VYbFUaq48rMMM92SdknYd2Q8KW axlmrd9VjNfGQGiCd8lnv2zG3mak2+LxdF0uKmSrLkLkDJciy1q8dAvQzLq0p9iNMbaJ vRCnoVLC9rUkfmAR5DKIe+BnOGr0UdL6zDqGCqa/CnJEuisXWG8MSl1TaGJZtoEEtLQJ ka4nr5fO8qtMIqGQExr9znX85adE6HXjn2nh+hAF4tmTBguEoyrqcuk2GfM+ZNGAMFNu 3tiRIldkklVf1vZ9V6rZkkPhbef9c5la7IztnusLn4xtZVf6Blua90cz85kkfX2vNWOl auZQ== X-Gm-Message-State: AOJu0YxrLrcwJ3XcZqxRrObbVvaJCI+bnShPosE51DPevjK8ygFadmxp X0Z/AUBfPME/fjr+3Y03f87XJg== X-Google-Smtp-Source: AGHT+IHT1RD2zvJBWhIBp0wkyaDJ0kwSyrpChVo0qXvnLrYTMq5bfaiIwzW1vrujtTGw+fe2lwgWzQ== X-Received: by 2002:a05:600c:4692:b0:402:8896:bb7b with SMTP id p18-20020a05600c469200b004028896bb7bmr3502684wmo.6.1700728378757; Thu, 23 Nov 2023 00:32:58 -0800 (PST) Received: from localhost.localdomain ([88.116.133.170]) by smtp.gmail.com with ESMTPSA id l10-20020a7bc44a000000b0040651505684sm1154592wmi.29.2023.11.23.00.32.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Nov 2023 00:32:58 -0800 (PST) Message-ID: <34ab1ccd6d9fdad0caf20a37eb19edc4f59db1c7.camel@cybertec.at> Subject: Re: Misconfiguration on SSL for download.postgresql.org ? From: Laurenz Albe To: Frank =?ISO-8859-1?Q?B=FCttner?= , pgsql-www@lists.postgresql.org Date: Thu, 23 Nov 2023 09:32:58 +0100 In-Reply-To: <618816f6-d07a-4d1b-88ad-ef2113e463af@mdc-berlin.de> References: <618816f6-d07a-4d1b-88ad-ef2113e463af@mdc-berlin.de> Autocrypt: addr=laurenz.albe@cybertec.at; prefer-encrypt=mutual; keydata=mQINBGGDwAQBEADgbWy5cKXQld3N2mF+DFyiNFbi2oBl2T+XgxpPF8wTRw2D/u4bBKXP0SYSE/lA86jIVNWWU0gf1KODIkVvgJm2w4vH2VBV1b7ddVViGl1Iu+9zaRnv9wulhnH42KefepXnoean6UT1EzLM0opF/Ik0j+40TxdRtobkBprkQUyHDXWlHc2ffPs3SipyFEP9AVLf7ejRC46CXWDnsqjOBSMEW8Z4HiK/8RrPZBsKLts8dJxKF4pygOdJb0CWk8k/X1jbcfdxo+zOLjOMvJcSJ2pFdJmQHU+JufB3rePziqQ2S9Ur6sccr9XnTC1GVBWN4Lf5VHq+vf+bFJjVwg+2hrySZnAVfcOrxoqFLErr7ug1zN2nM1kcpgA4VWn4gxlJtYNYYq+9WxX5dtvnNANlG3ZCrRKQzl8lxtzoF6Zo7LUhEqPaHDwn7Rvs+IdbOn41lF5UDTJGqmC4gS/bZydW2Fy3YWm4aSaN9fgFf8D+PVkrlKAZB7gBLz1TyHjbcRf85cYF+GKKrDld5SzMB/V60VX3oP/Eo8ikFpyWaqiz1f9X7MBot3/PjJkY+wDzp3nmb19QEcOBuQiSQ4xds2r0HewbuHTAR68u8jNNMGmpm2j4x+g09Jd/WQDjqlTBZ/jEltH41fYCCPWMfljXTOOXu2eLNGdfi7ETZogtwjM9oTtSPQARAQABtCdMYXVyZW56IEFsYmUgPGxhdXJlbnouYWxiZUBjeWJlcnRlYy5hdD6JAk4EEwEIADgWIQR0CqhbZGGABqoaSbdi8bhXA2EdmAUCYYPABAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBi8bhXA2EdmM/6EADK232JCwmBzhlj8h7U9CjG6kx0JHP3uJGv+XfsHtHAlmY/RCwF1BHMEsRlk bT5UrLvJ2jb99bA9QARzhFaxzyn0F/BUKzuIjRGNs/n6d5dNUFA0kOt8sX+TacmC GEyjEBCrVCm4ranBiUyePn9NhHNWnaex7pJyqvMLLdwW9BEMJx0Fqo+DN8ukbXmYRsmhEtd3ue+x/luYmOmJnaGtzInaY5aOJYbW9XqoRIZkZvOCgbi1FfvNmoqWa+3oVxTOgw9RafjJDyW0lTHzKGjbGI5ofMU98l+/hKJFYJqWUF6VpFJY5YIcN/1lf4ZICMwDl+MPIVo/tpq8L10seJL28nLlvw3K+cI+TVW8IW/qL/LyVoDofI3USeOORuYmhpWRhik8JXX6xf3v6GrRilJIPWNFIJbxm1ZblQiQnOw3IOW7T+8nAmPin1HKqM3VrOrJQ2VtShsefNBibNAsr1oFaqcDBkn3yGG8i6CTW+FyO4PZ+/EwNxMVgktxbYdy5AT1/lpXr5tB+phhLIyVfiBvrWs5EThxYMQ/L8Y85c3GMsAy1l/x4h3jqySIYy3SCU9+jc5UVuNnXljbvkEzJ+NLWJ6C1rACFWrMszgPdh5tCrlRY9PpmYll4JbCgb8BtxEIUmR+xr50/ZElEK5iml7Q00KUekCcDt+36PsyGFTXBzNOrkCDQRhg8AEARAAzOZ2tLHlI4rrhG411h6cdCFjBZxuljaFCxFyHn3m6wbGLqwBUWC5k8UrRqjHMz88KcTSaNO7XGAmCqPdWd2SeflPZRnNTbjsVpw7mLdffsBm4JX7kki2Pvk5h0NtYeidXT1PSpc2ri4DutYXuT9uD8RAm1wUDCE5HQNUihT/WH6opt+hskHW21uHao0+y822tG0QQcGMqdQR5Vxdxj89wiEPdqW+HpU/oOZIhrf2E7prduAppxixjHy/o1rcnoznnJvc8D3+YgI9O0LrBMij89dM55pRGbLovTR1oGR3U74sX774+0xmSzeIKwZfiMUz7Atlvfk5SHOsRUFPN2Ux9kaXiiBibQpHFxt7b lDrT4wxdLJ/XCdbPPAyl+lZtOLsaHEEZvYNyTXwZc35dVf3R4/oz20HoG6s7ct8e1 AQygj43XAERzty9SkWgxs8+grp1PrGx6FHVSYRqBM8dS/ZR6yRVwOwJXPyaSSqfIF21DkE4j1y4n+ItSewPGoRp8K/yWCikt6qlkVkO2ASNIiX04fAbtzwVOaNn8ZMRNqyvLc1fED4sr49onE4cAIcBLjcC3KL+w9DUGRQCdziROj5H2Yl/sXGPdMciUHo/Uz2rggc+2th3bQiMhrHWSsBpUkDQp0yWewemstPpPgBL3h2fHKaX8B9oH5Qu/H1IgrOuX8AEQEAAYkCNgQYAQgAIBYhBHQKqFtkYYAGqhpJt2LxuFcDYR2YBQJhg8AEAhsMAAoJEGLxuFcDYR2YuPwQAMkpGtR80pQ1gVsONhdkqj0H2eU66efP/gO3CoyaoIcvrpKYj7C2HipVSmkt1gpByL0X4AMQ/vKuknUz3wd28Ba+G1dCfbVs/Xiusq+SmpUj5rTwmYqdSjWMuCo1R6oS5hdJMdUUJYGMT0QkVlm1KnW8jkmCTl9GzjDxOAsN9O6/6lPzaGFtk9XF+34Bry/N4HKiJkqpC4+UTd0AprPfzJ2jdT64e1F0+W88X8y1bTTgNrHwK4mDiLnlE4SKRuEm54lNhJz//ar86Or5BErzNpM6TL7lk44QS06hwsMrEdKIy8J/SYJPjfzR8tIUnKscclVpOgjKaBqC+0iFiVaRqAgfOlIEiezX6kMh5Q2FIUfqs46qWhhXjRrdKOEoStYAaikdLu5ZXr7vfb0ZaDh+ZwTQtbSMFolyOkecwI81MCdbMfT/1TqIGTOdAj5as9fAakk0jb2pXgUYQ8X1DVTR8ahSDVEaw9VTmWiSvTxvguVJ1Mb7gG4Gmh6aviDTJhfXtH4rPUNXhDLqrTH8JkJjyKROOMakIF68Hjse5vUfUxreBEOtb5r1Coa2Fe7ncJayaSE7ryrDbFqpZ 36UMAx4ulWMyqJajLNGY0DdG8qIsR5nxRhrnK/mrCidZ8F9/D3bWAl4rjtHlsztN59 +AnW5l0HsQcY9ntFL/zEBOaonjdJf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.1 (3.50.1-1.fc39) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk I think this had better go to the pgsql-www list. Yours, Laurenz Albe On Thu, 2023-11-23 at 09:21 +0100, Frank B=C3=BCttner wrote: > since some day's all our servers can't download updates for the RPM=20 > packages of PostgreSQL. >=20 > Error: > Errors during downloading metadata for repository 'pgdg-common': > - Curl error (35): SSL connect error for=20 > https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64= /repodata/repomd.xml=20 > [error:0A000410:SSL routines::sslv3 alert handshake failure] > Fehler: Failed to download metadata for repo 'pgdg-common': Cannot=20 > download repomd.xml: Cannot download repodata/repomd.xml: All mirrors=20 > were tried >=20 > After checking the site via nmap: > nmap -p 443 download.postgresql.org --script ssl-enum-ciphers > > TLSv1.3: > > ciphers: > > TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A > > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A > > TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A >=20 >=20 > I found the problem, the "x25519" ciphers are missing. > > TLSv1.3: > > ciphers: > > TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A > > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A >=20 >=20 > Which are need on systems where the NIST curves are blocked for security= =20 > reasons. >=20 >=20 > So please re enable the x25519 curve.