[pgpool-general: 3467] SSL communications

Tue Feb 10 02:45:44 JST 2015

It appears that ssl communications are breaking down between my pgpool2
servers and my postgresql servers.  I can connect with just host entries,
but hostssl entries on my postgresql servers fails.  I can get the
certificate to show from my postgresql server if I connect from an openssl
client.  When I try the same thing from one of my pgpool2 servers I get the
following:

openssl s_client -ssl3 -showcerts -connect
tntest-postgresql-a-1.oreillyauto.com:5433
CONNECTED(00000003)
140490160506528:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1423503616
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

openssl s_client -tls1 -showcerts -connect
tntest-postgresql-a-1.oreillyauto.com:5433
CONNECTED(00000003)
140240468043424:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1423503672
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

It appears to me that with both ssl3 and tls1 chosen that ssl3 is being
used.  Can and where I set it to always use tls1?

Here is the ssl config from my pgpool2 server:

# - SSL Connections -

ssl = on
                                   # Enable SSL support
                                   # (change requires restart)
#ssl_key = './ssl-cert-snakeoil.key'
                                   # Path to the SSL private key file
                                   # (change requires restart)
ssl_cert = '/etc/java-6-openjdk/security/mycert.com.crt'
                                   # Path to the SSL public certificate
file
                                   # (change requires restart)
ssl_ca_cert = '/etc/java-6-openjdk/security/myinternal_ca.crt'
                                   # Path to a single PEM format file
                                   # containing CA root certificate(s)
                                   # (change requires restart)
#ssl_ca_cert_dir = '/etc/java-6-openjdk/security'
                                   # Directory containing CA root
certificate(s)
                                   # (change requires restart)

Any and all ideas are apprecieated.

Thank you,
Eric Speake
Senior Systems Administrator
O'Reilly Auto Parts
 (417) 862-2674  Ext. 1975

This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.