The following bug has been logged on the website:
Bug reference: 14625
Logged by: Pavel Kirichenko
Email address: pavel.l.kirichenko@gmail.com
PostgreSQL version: 9.6.2
Operating system: FreeBSD 11.0-RELEASE-p9 amd64
Description:
Version OpenSSL 1.0.2k_1,1
postgresql.conf
ssl = true
ssl_ciphers =
'kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2'
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'prime256v1'
ssl_cert_file = './ssl/server.crt'
ssl_key_file = './ssl/server.key'
ssl_ca_file = './ssl/root.crt'
ssl_crl_file = './ssl/root.crl'
pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all postgres
md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
hostssl all all 0.0.0.0/0 md5
clientcert=1
# IPv6 local connections:
host all all ::1/128 md5
hostssl all all ::/0 md5
clientcert=1
I tryed to connect from the command line interface:
$ psql --host=192.168.1.3 --port=6543 --username=postgres
--dbname=template1
psql: SSL error: certificate verify failed
So I had such log message.
LOG: could not accept SSL connection: sslv3 alert certificate expired
Then I checked the certificates.
[pavel.l.kirichenko@rat-3o3r3d3 /usr/home/pavel.l.kirichenko/.postgresql]$
openssl x509 -in ./postgresql.crt -text -noout
Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm:
sha256WithRSAEncryption
Validity Not Before: Mar 20 13:05:04 2017 GMT Not After : Mar 18 13:05:04 2027 GMT
Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit)
Time on the server is:
$ date
monday, 17 april 2017 г. 17:45:37 (+04)
Apparently, the certificate has not expired.
You can say that the problem is in OpenSSL. I checked it. With this
certificates I configured the test nginx site on the same server — it works
properly.
The same error is repeated everywhere: psql, pgAdmin, connection via
dotConnect driver.
Also I tested PostgreSQL version 9.4.11, I tryed to reduce key length to 512
bit and even psql on Ubuntu 14.04.1 with no success.
Certificates:
server https://mega.nz/#!j9NTlCgD!6Rps9gF5s9b4qSkcliMQzKowWBDEMT5q28WqnVsJpAo
client https://mega.nz/#!DltUWYia!lvR5BfKlxTS0TK0gYNHTsZrhjUngTTRQRkTwWsf5V6c
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs