public inbox for [email protected]help / color / mirror / Atom feed
Misconfiguration on SSL for download.postgresql.org ? 4+ messages / 3 participants [nested] [flat]
* Misconfiguration on SSL for download.postgresql.org ? @ 2023-11-23 08:21 Frank Büttner <[email protected]> 0 siblings, 2 replies; 4+ messages in thread From: Frank Büttner @ 2023-11-23 08:21 UTC (permalink / raw) To: [email protected] Hi at all, since some day's all our servers can't download updates for the RPM packages of PostgreSQL. Error: Errors during downloading metadata for repository 'pgdg-common': - Curl error (35): SSL connect error for https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure] Fehler: Failed to download metadata for repo 'pgdg-common': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried After checking the site via nmap: nmap -p 443 download.postgresql.org --script ssl-enum-ciphers | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A I found the problem, the "x25519" ciphers are missing. | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A Which are need on systems where the NIST curves are blocked for security reasons. So please re enable the x25519 curve. Thanks -- *Frank Büttner* IT MDC Berlin-Buch Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft Robert-Rössle-Straße 10 13125 Berlin ☎ +49 30 9406 2038 ℻ +49 30 9406 2599 ✉ [email protected] Attachments: [application/pkcs7-signature] smime.p7s (4.7K, 2-smime.p7s) download ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Misconfiguration on SSL for download.postgresql.org ? @ 2023-11-23 08:32 Laurenz Albe <[email protected]> parent: Frank Büttner <[email protected]> 1 sibling, 0 replies; 4+ messages in thread From: Laurenz Albe @ 2023-11-23 08:32 UTC (permalink / raw) To: Frank Büttner <[email protected]>; [email protected] I think this had better go to the pgsql-www list. Yours, Laurenz Albe On Thu, 2023-11-23 at 09:21 +0100, Frank Büttner wrote: > since some day's all our servers can't download updates for the RPM > packages of PostgreSQL. > > Error: > Errors during downloading metadata for repository 'pgdg-common': > - Curl error (35): SSL connect error for > https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml > [error:0A000410:SSL routines::sslv3 alert handshake failure] > Fehler: Failed to download metadata for repo 'pgdg-common': Cannot > download repomd.xml: Cannot download repodata/repomd.xml: All mirrors > were tried > > After checking the site via nmap: > nmap -p 443 download.postgresql.org --script ssl-enum-ciphers > > TLSv1.3: > > ciphers: > > TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A > > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A > > TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A > > > I found the problem, the "x25519" ciphers are missing. > > TLSv1.3: > > ciphers: > > TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A > > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A > > > Which are need on systems where the NIST curves are blocked for security > reasons. > > > So please re enable the x25519 curve. ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Misconfiguration on SSL for download.postgresql.org ? @ 2023-11-23 20:04 Stefan Kaltenbrunner <[email protected]> parent: Frank Büttner <[email protected]> 1 sibling, 1 reply; 4+ messages in thread From: Stefan Kaltenbrunner @ 2023-11-23 20:04 UTC (permalink / raw) To: Frank Büttner <[email protected]>; +Cc: [email protected]; PostgreSQL WWW <[email protected]> On 11/23/23 09:21, Frank Büttner wrote: > Hi at all, Hi Frank! > since some day's all our servers can't download updates for the RPM > packages of PostgreSQL. the current TLS configuration has been in place for a long time now - so I suspect the issue started when you constrained your local TLS client in terms of elliptic curves... > > Error: > Errors during downloading metadata for repository 'pgdg-common': > - Curl error (35): SSL connect error for > https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure] > Fehler: Failed to download metadata for repo 'pgdg-common': Cannot > download repomd.xml: Cannot download repodata/repomd.xml: All mirrors > were tried > > After checking the site via nmap: > nmap -p 443 download.postgresql.org --script ssl-enum-ciphers > | TLSv1.3: > | ciphers: > | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A > | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A > | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A > > > I found the problem, the "x25519" ciphers are missing. > | TLSv1.3: > | ciphers: > | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A > | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A > > > Which are need on systems where the NIST curves are blocked for security > reasons. > > > So please re enable the x25519 curve. I would kinda argue that your current configuration is in direct violation of RFC8446(TLS 1.3) as well as 7748(elliptic curves for security) which explicitly state that x25519 only a SHOULD while supporting secp256r1 is declared a MUST and a mandatory supported key exchange so it seems a bit of a stretch to consider us not supporting it a "misconfiguration". However we have now modified our TLS configuration to fall back to the embedded curves list within openssl (which among other things) enables x25519. Stefan ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [ext] Re: Misconfiguration on SSL for download.postgresql.org ? @ 2023-11-28 07:06 Frank Büttner <[email protected]> parent: Stefan Kaltenbrunner <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Frank Büttner @ 2023-11-28 07:06 UTC (permalink / raw) To: PostgreSQL WWW <[email protected]> Hi Stefan, now the download of the updates will works again. The exact date is unclear when the problems started. The only think that was done on our site war an update for the RHEL9 servers to 9.3 an for the RHEL8 one to 8.9 Thanks Frank Am 23.11.23 um 21:04 schrieb Stefan Kaltenbrunner: > On 11/23/23 09:21, Frank Büttner wrote: >> Hi at all, > > Hi Frank! > >> since some day's all our servers can't download updates for the RPM >> packages of PostgreSQL. > > the current TLS configuration has been in place for a long time now - so > I suspect the issue started when you constrained your local TLS client > in terms of elliptic curves... > >> >> Error: >> Errors during downloading metadata for repository 'pgdg-common': >> - Curl error (35): SSL connect error for >> https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure] >> Fehler: Failed to download metadata for repo 'pgdg-common': Cannot >> download repomd.xml: Cannot download repodata/repomd.xml: All mirrors >> were tried >> >> After checking the site via nmap: >> nmap -p 443 download.postgresql.org --script ssl-enum-ciphers >> | TLSv1.3: >> | ciphers: >> | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A >> | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A >> | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A >> >> >> I found the problem, the "x25519" ciphers are missing. >> | TLSv1.3: >> | ciphers: >> | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A >> | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A >> >> >> Which are need on systems where the NIST curves are blocked for >> security reasons. >> >> >> So please re enable the x25519 curve. > > I would kinda argue that your current configuration is in direct > violation of RFC8446(TLS 1.3) as well as 7748(elliptic curves for > security) which explicitly state that x25519 only a SHOULD while > supporting secp256r1 is declared a MUST and a mandatory supported key > exchange so it seems a bit of a stretch to consider us not supporting it > a "misconfiguration". > > However we have now modified our TLS configuration to fall back to the > embedded curves list within openssl (which among other things) enables > x25519. > > > > Stefan -- *Frank Büttner* IT MDC Berlin-Buch Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft Robert-Rössle-Straße 10 13125 Berlin ☎ +49 30 9406 2038 ℻ +49 30 9406 2599 ✉ [email protected] Attachments: [application/pkcs7-signature] smime.p7s (4.7K, 2-smime.p7s) download ^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2023-11-28 07:06 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2023-11-23 08:21 Misconfiguration on SSL for download.postgresql.org ? Frank Büttner <[email protected]> 2023-11-23 08:32 ` Laurenz Albe <[email protected]> 2023-11-23 20:04 ` Stefan Kaltenbrunner <[email protected]> 2023-11-28 07:06 ` Frank Büttner <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox