public inbox for [email protected]
help / color / mirror / Atom feedMisconfiguration on SSL for download.postgresql.org ?
4+ messages / 3 participants
[nested] [flat]
* Misconfiguration on SSL for download.postgresql.org ?
@ 2023-11-23 08:21 Frank Büttner <[email protected]>
2023-11-23 08:32 ` Re: Misconfiguration on SSL for download.postgresql.org ? Laurenz Albe <[email protected]>
2023-11-23 20:04 ` Re: Misconfiguration on SSL for download.postgresql.org ? Stefan Kaltenbrunner <[email protected]>
0 siblings, 2 replies; 4+ messages in thread
From: Frank Büttner @ 2023-11-23 08:21 UTC (permalink / raw)
To: [email protected]
Hi at all,
since some day's all our servers can't download updates for the RPM
packages of PostgreSQL.
Error:
Errors during downloading metadata for repository 'pgdg-common':
- Curl error (35): SSL connect error for
https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml
[error:0A000410:SSL routines::sslv3 alert handshake failure]
Fehler: Failed to download metadata for repo 'pgdg-common': Cannot
download repomd.xml: Cannot download repodata/repomd.xml: All mirrors
were tried
After checking the site via nmap:
nmap -p 443 download.postgresql.org --script ssl-enum-ciphers
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A
I found the problem, the "x25519" ciphers are missing.
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
Which are need on systems where the NIST curves are blocked for security
reasons.
So please re enable the x25519 curve.
Thanks
--
*Frank Büttner*
IT
MDC Berlin-Buch
Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft
Robert-Rössle-Straße 10
13125 Berlin
☎ +49 30 9406 2038
℻ +49 30 9406 2599
✉ [email protected]
Attachments:
[application/pkcs7-signature] smime.p7s (4.7K, 2-smime.p7s)
download
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Misconfiguration on SSL for download.postgresql.org ?
2023-11-23 08:21 Misconfiguration on SSL for download.postgresql.org ? Frank Büttner <[email protected]>
@ 2023-11-23 08:32 ` Laurenz Albe <[email protected]>
1 sibling, 0 replies; 4+ messages in thread
From: Laurenz Albe @ 2023-11-23 08:32 UTC (permalink / raw)
To: Frank Büttner <[email protected]>; [email protected]
I think this had better go to the pgsql-www list.
Yours,
Laurenz Albe
On Thu, 2023-11-23 at 09:21 +0100, Frank Büttner wrote:
> since some day's all our servers can't download updates for the RPM
> packages of PostgreSQL.
>
> Error:
> Errors during downloading metadata for repository 'pgdg-common':
> - Curl error (35): SSL connect error for
> https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml
> [error:0A000410:SSL routines::sslv3 alert handshake failure]
> Fehler: Failed to download metadata for repo 'pgdg-common': Cannot
> download repomd.xml: Cannot download repodata/repomd.xml: All mirrors
> were tried
>
> After checking the site via nmap:
> nmap -p 443 download.postgresql.org --script ssl-enum-ciphers
> > TLSv1.3:
> > ciphers:
> > TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
> > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
> > TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A
>
>
> I found the problem, the "x25519" ciphers are missing.
> > TLSv1.3:
> > ciphers:
> > TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
> > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
>
>
> Which are need on systems where the NIST curves are blocked for security
> reasons.
>
>
> So please re enable the x25519 curve.
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Misconfiguration on SSL for download.postgresql.org ?
2023-11-23 08:21 Misconfiguration on SSL for download.postgresql.org ? Frank Büttner <[email protected]>
@ 2023-11-23 20:04 ` Stefan Kaltenbrunner <[email protected]>
2023-11-28 07:06 ` Re: [ext] Re: Misconfiguration on SSL for download.postgresql.org ? Frank Büttner <[email protected]>
1 sibling, 1 reply; 4+ messages in thread
From: Stefan Kaltenbrunner @ 2023-11-23 20:04 UTC (permalink / raw)
To: Frank Büttner <[email protected]>; +Cc: [email protected]; PostgreSQL WWW <[email protected]>
On 11/23/23 09:21, Frank Büttner wrote:
> Hi at all,
Hi Frank!
> since some day's all our servers can't download updates for the RPM
> packages of PostgreSQL.
the current TLS configuration has been in place for a long time now - so
I suspect the issue started when you constrained your local TLS client
in terms of elliptic curves...
>
> Error:
> Errors during downloading metadata for repository 'pgdg-common':
> - Curl error (35): SSL connect error for
> https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure]
> Fehler: Failed to download metadata for repo 'pgdg-common': Cannot
> download repomd.xml: Cannot download repodata/repomd.xml: All mirrors
> were tried
>
> After checking the site via nmap:
> nmap -p 443 download.postgresql.org --script ssl-enum-ciphers
> | TLSv1.3:
> | ciphers:
> | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
> | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
> | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A
>
>
> I found the problem, the "x25519" ciphers are missing.
> | TLSv1.3:
> | ciphers:
> | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
> | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
>
>
> Which are need on systems where the NIST curves are blocked for security
> reasons.
>
>
> So please re enable the x25519 curve.
I would kinda argue that your current configuration is in direct
violation of RFC8446(TLS 1.3) as well as 7748(elliptic curves for
security) which explicitly state that x25519 only a SHOULD while
supporting secp256r1 is declared a MUST and a mandatory supported key
exchange so it seems a bit of a stretch to consider us not supporting it
a "misconfiguration".
However we have now modified our TLS configuration to fall back to the
embedded curves list within openssl (which among other things) enables
x25519.
Stefan
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [ext] Re: Misconfiguration on SSL for download.postgresql.org ?
2023-11-23 08:21 Misconfiguration on SSL for download.postgresql.org ? Frank Büttner <[email protected]>
2023-11-23 20:04 ` Re: Misconfiguration on SSL for download.postgresql.org ? Stefan Kaltenbrunner <[email protected]>
@ 2023-11-28 07:06 ` Frank Büttner <[email protected]>
0 siblings, 0 replies; 4+ messages in thread
From: Frank Büttner @ 2023-11-28 07:06 UTC (permalink / raw)
To: PostgreSQL WWW <[email protected]>
Hi Stefan,
now the download of the updates will works again.
The exact date is unclear when the problems started.
The only think that was done on our site war an update for the RHEL9
servers to 9.3 an for the RHEL8 one to 8.9
Thanks
Frank
Am 23.11.23 um 21:04 schrieb Stefan Kaltenbrunner:
> On 11/23/23 09:21, Frank Büttner wrote:
>> Hi at all,
>
> Hi Frank!
>
>> since some day's all our servers can't download updates for the RPM
>> packages of PostgreSQL.
>
> the current TLS configuration has been in place for a long time now - so
> I suspect the issue started when you constrained your local TLS client
> in terms of elliptic curves...
>
>>
>> Error:
>> Errors during downloading metadata for repository 'pgdg-common':
>> - Curl error (35): SSL connect error for
>> https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure]
>> Fehler: Failed to download metadata for repo 'pgdg-common': Cannot
>> download repomd.xml: Cannot download repodata/repomd.xml: All mirrors
>> were tried
>>
>> After checking the site via nmap:
>> nmap -p 443 download.postgresql.org --script ssl-enum-ciphers
>> | TLSv1.3:
>> | ciphers:
>> | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
>> | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A
>> | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A
>>
>>
>> I found the problem, the "x25519" ciphers are missing.
>> | TLSv1.3:
>> | ciphers:
>> | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
>> | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
>>
>>
>> Which are need on systems where the NIST curves are blocked for
>> security reasons.
>>
>>
>> So please re enable the x25519 curve.
>
> I would kinda argue that your current configuration is in direct
> violation of RFC8446(TLS 1.3) as well as 7748(elliptic curves for
> security) which explicitly state that x25519 only a SHOULD while
> supporting secp256r1 is declared a MUST and a mandatory supported key
> exchange so it seems a bit of a stretch to consider us not supporting it
> a "misconfiguration".
>
> However we have now modified our TLS configuration to fall back to the
> embedded curves list within openssl (which among other things) enables
> x25519.
>
>
>
> Stefan
--
*Frank Büttner*
IT
MDC Berlin-Buch
Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft
Robert-Rössle-Straße 10
13125 Berlin
☎ +49 30 9406 2038
℻ +49 30 9406 2599
✉ [email protected]
Attachments:
[application/pkcs7-signature] smime.p7s (4.7K, 2-smime.p7s)
download
^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2023-11-28 07:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2023-11-23 08:21 Misconfiguration on SSL for download.postgresql.org ? Frank Büttner <[email protected]>
2023-11-23 08:32 ` Laurenz Albe <[email protected]>
2023-11-23 20:04 ` Stefan Kaltenbrunner <[email protected]>
2023-11-28 07:06 ` Frank Büttner <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox