[openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Nov 9 12:57:48 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Graham Leggett
> Sent: Thursday, November 09, 2017 06:18
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

> On 09 Nov 2017, at 4:17 AM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:

> > Yeah. TLSv1.2, no cipher. My guess is the server is allowing the 1.2 protocol level but not
> > supporting any of the 1.2 suites.

> Does this definitely mean no cipher, or could it mean “I failed earlier in the process before 
> I took note of the cipher, like with the no peer certificate available"?

Well, in this case it seems to mean "the server and I agreed on a cipher suite, but the server didn't do the thing it needed to do to make that suite usable".

> > Hmm. This claims they agreed on TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Maybe
> > no ECC curves in common for ECDHE Kx?

> This is openssl v1.0.1f (ubuntu xenial) talking to openssl v1.0.1f (ubuntu xenial), although
> trying openssl as shipped by MacOS Sierra on the client side gives the same result.

At least prior to 1.1.0, to use ECC in OpenSSL the application has to make some additional calls. (I don't remember offhand how much of this goes away in the 1.1.0 API.) So it's quite possible for two applications using stock OpenSSL 1.0.x to fail to use an ECC suite.

> I set the ciphers explicitly on the server side to DEFAULT and got the same result (eliminating
> whatever weird settings postgresql-on-ubuntu might have as a default).

DEFAULT includes ECC suites. You should try something like DEFAULT:!ECDHE:!ECDH to eliminate the ECC Kx suites.

> When openssl v1.0.2m tries to connect to postgresql running openssl v1.0.1f (ubuntu xenial), I get different behaviour:
> ...
> 2017-11-09 11:01:19 UTC [12025-1] [unknown]@[unknown] LOG:  invalid length of startup packet

Offhand, I don't know what the problem is here.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list