BUG #13578: use cipher=NULL-SHA256 error when connect - Mailing list pgsql-bugs
| From | digoal@126.com |
|---|---|
| Subject | BUG #13578: use cipher=NULL-SHA256 error when connect |
| Date | |
| Msg-id | 20150818075205.539.5209@wrigleys.postgresql.org Whole thread Raw |
| Responses |
Re: BUG #13578: use cipher=NULL-SHA256 error when connect
|
| List | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 13578
Logged by: digoal
Email address: digoal@126.com
PostgreSQL version: 9.4.4
Operating system: CentOS 6.x x64
Description:
HI,
why PostgreSQL 9.4.4 cann't use eNULL or NULL ciphers?
openssl version
openssl-1.0.1p
postgres@digoal-> /opt/openssl/bin/openssl ciphers -v 'eNULL'
ECDHE-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1
ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1
ECDH-RSA-NULL-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None Mac=SHA1
ECDH-ECDSA-NULL-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None Mac=SHA1
NULL-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=None
Mac=SHA256
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
I use the TLSv1.2 version NULL-SHA256.
ssl = on # (change requires restart)
ssl_ciphers = 'NULL-SHA256'
# (change requires restart)
#ssl_prefer_server_ciphers = on # (change requires restart)
#ssl_ecdh_curve = 'prime256v1' # (change requires restart)
#ssl_renegotiation_limit = 512MB # amount of data between
renegotiations
#ssl_renegotiation_limit = 0 # amount of data between renegotiations
#ssl_cert_file = 'server.crt' # (change requires restart)
#ssl_key_file = 'server.key' # (change requires restart)
#ssl_ca_file = '' # (change requires restart)
#ssl_crl_file = '' # (change requires restart)
postgres@digoal-> psql
postgresql://postgres:postgres@192.168.150.128:1921/postgres?sslmode=require\&application_name='ab'
psql: SSL error: sslv3 alert handshake failure
2015-08-18 15:36:50.801
CST,,,51545,"192.168.150.128:21611",55d2e092.c959,2,"",2015-08-18 15:36:50
CST,,0,LOG,08P01,"could not accept SSL connection: no shared
cipher",,,,,,,,"open_server_SSL, be-secure.c:1034",""
if (r <= 0)
{
err = SSL_get_error(port->ssl, r);
switch (err)
{
......
case SSL_ERROR_SSL:
ereport(COMMERROR,
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("could not accept
SSL connection: %s",
SSLerrmessage())));
but it can use SSLv3 IDEA-CBC-SHA , why?
src/backend/libpq/be-secure.c
/* set up ephemeral DH keys, and disallow SSL v2/v3 while at it */
SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
SSL_CTX_set_options(SSL_context,
SSL_OP_SINGLE_DH_USE
SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3);
src/interfaces/libpq/fe-secure.c
/* Disable old protocol versions */
SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3);
[root@digoal postgresql-9.4.4]# /opt/openssl/bin/openssl ciphers -v
'ALL'|grep IDEA-CBC-SHA
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
when it connected, we can see the protocol: TLSv1.2, I confuse?
postgres@digoal-> psql
postgresql://postgres:postgres@192.168.150.128:1921/postgres?sslmode=require\&application_name='ab'
psql (9.4.4)
SSL connection (protocol: TLSv1.2, cipher: IDEA-CBC-SHA, bits: 128,
compression: on)
Type "help" for help.
postgres=#
pgsql-bugs by date: