Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Cannot connect to Postgres with sql_ssl_verify: true #4180

Open
sando38 opened this issue Mar 19, 2024 · 0 comments
Open

[BUG] Cannot connect to Postgres with sql_ssl_verify: true #4180

sando38 opened this issue Mar 19, 2024 · 0 comments

Comments

@sando38
Copy link
Contributor

sando38 commented Mar 19, 2024

Environment

  • ejabberd version: 24.02
  • Erlang version: 26.2
  • OS: Linux (Debian12)
  • Installed from: source | kubernetes (docker image)

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

sql_server: cnpg-ejabberd-testing-abc
sql_port: 5432
sql_database: ejabberd
sql_username: ejabberd
sql_password: ""
sql_type: pgsql

sql_ssl: true
sql_ssl_verify: true
sql_ssl_cafile: "/opt/ejabberd/certs/cnpg-tls/ca.crt"
sql_ssl_certfile: "/opt/ejabberd/certs/cnpg-tls/fullchain.pem"

Errors from error.log/crash.log

2024-03-19 22:46:03.304686+00:00 [warning] <0.450.0>@ejabberd_sql:handle_reconnect/2:491 pgsql connection failed:
** Reason: {tls_alert,
               {handshake_failure,
                   "TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}
** Retry after: 3 seconds
2024-03-19 22:46:03.306544+00:00 [notice] <0.1509.0>@ssl_handshake:path_validation_alert/1:2135 TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure
 - {bad_cert,hostname_check_failed}
2024-03-19 22:46:03.306757+00:00 [warning] <0.443.0>@ejabberd_sql:handle_reconnect/2:491 pgsql connection failed:
** Reason: {tls_alert,
               {handshake_failure,
                   "TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}
** Retry after: 3 seconds
2024-03-19 22:46:03.311020+00:00 [debug] <0.1511.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1511.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1512.0>},
              {id,sender},
              {mfargs,{tls_sender,start_link,[[{spawn_opt,[]}]]}},
              {restart_type,temporary},
              {significant,false},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.311185+00:00 [debug] <0.1511.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1511.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1513.0>},
              {id,receiver},
              {mfargs,
                  {ssl_gen_statem,start_link,
                      [client,<0.1512.0>,
                       {10,40,24,14},
                       5432,#Port<0.239>,
                       {#{signature_algs_cert => undefined,
                          session_tickets => disabled,verify_fun => undefined,
                          user_lookup_fun => undefined,protocol => tls,
                          alpn_advertised_protocols => undefined,
                          crl_check => false,cacerts => undefined,
                          renegotiate_at => 268435456,
                          signature_algs =>
                              [eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,
                               rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                               rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,
                               rsa_pss_rsae_sha256,rsa_pkcs1_sha512,
                               rsa_pkcs1_sha384,rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa}],
                          versions => [{3,4},{3,3}],
                          max_handshake_size => 131072,
                          secure_renegotiate => true,fallback => false,
                          cacertfile =>
                              <<"/opt/ejabberd/certs/cnpg-tls/ca.crt">>,
                          early_data => undefined,handshake => full,
                          psk_identity => undefined,
                          max_fragment_length => undefined,
                          crl_cache => {ssl_crl_cache,{internal,[]}},
                          log_level => notice,key_update_at => 388736063997,
                          supported_groups =>
                              {supported_groups,
                                  [x25519,x448,secp256r1,secp384r1]},
                          customize_hostname_check => [],
                          server_name_indication => undefined,
                          reuse_sessions => true,
                          ciphers =>
                              [<<19,2>>,
                               <<19,1>>,
                               <<19,3>>,
                               <<19,4>>,
                               <<19,5>>,
                               <<"À,">>,<<"À0">>,<<"À­">>,<<"À¯">>,<<"À$">>,
                               <<"À(">>,
                               <<204,169>>,
                               <<204,168>>,
                               <<"À+">>,<<"À/">>,<<"À¬">>,<<"À®">>,<<"À.">>,
                               <<"À2">>,<<"À&">>,<<"À*">>,<<"À-">>,<<"À1">>,
                               <<"À#">>,<<"À'">>,<<"À%">>,<<"À)">>,
                               <<0,159>>,
                               <<0,163>>,
                               <<0,107>>,
                               <<0,106>>,
                               <<0,158>>,
                               <<0,162>>,
                               <<204,170>>,
                               <<0,103>>,
                               <<0,64>>,
                               <<"À\n">>,
                               <<192,20>>,
                               <<192,5>>,
                               <<192,15>>,
                               <<"À\t">>,
                               <<192,19>>,
                               <<192,4>>,
                               <<192,14>>,
                               <<0,57>>,
                               <<0,56>>,
                               <<0,51>>,
                               <<0,50>>],
                          use_ticket => undefined,srp_identity => undefined,
                          eccs =>
                              {elliptic_curves,
                                  [{1,3,132,0,39},
                                   {1,3,132,0,38},
                                   {1,3,132,0,35},
                                   {1,3,36,3,3,2,8,1,1,13},
                                   {1,3,132,0,36},
                                   {1,3,132,0,37},
                                   {1,3,36,3,3,2,8,1,1,11},
                                   {1,3,132,0,34},
                                   {1,3,132,0,16},
                                   {1,3,132,0,17},
                                   {1,3,36,3,3,2,8,1,1,7},
                                   {1,3,132,0,10},
                                   {1,2,840,10045,3,1,7}]},
                          verify => verify_peer,
                          partial_chain => #Fun<ssl.5.5938469>,
                          reuse_session => undefined,
                          certs_keys =>
                              [#{certfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>,
                                 keyfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>}]},
                        {socket_options,binary,0,0,0,once},
                        undefined},
                       <0.1501.0>,
                       {gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}},
              {restart_type,temporary},
              {significant,true},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.315281+00:00 [notice] <0.1513.0>@ssl_handshake:path_validation_alert/1:2135 TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure
 - {bad_cert,hostname_check_failed}
2024-03-19 22:46:03.315457+00:00 [warning] <0.454.0>@ejabberd_sql:handle_reconnect/2:491 pgsql connection failed:
** Reason: {tls_alert,
               {handshake_failure,
                   "TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}
** Retry after: 3 seconds
2024-03-19 22:46:03.325665+00:00 [debug] <0.1520.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1520.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1521.0>},
              {id,sender},
              {mfargs,{tls_sender,start_link,[[{spawn_opt,[]}]]}},
              {restart_type,temporary},
              {significant,false},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.325881+00:00 [debug] <0.1520.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1520.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1522.0>},
              {id,receiver},
              {mfargs,
                  {ssl_gen_statem,start_link,
                      [client,<0.1521.0>,
                       {10,40,24,14},
                       5432,#Port<0.240>,
                       {#{signature_algs_cert => undefined,
                          session_tickets => disabled,verify_fun => undefined,
                          user_lookup_fun => undefined,protocol => tls,
                          alpn_advertised_protocols => undefined,
                          crl_check => false,cacerts => undefined,
                          renegotiate_at => 268435456,
                          signature_algs =>
                              [eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,
                               rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                               rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,
                               rsa_pss_rsae_sha256,rsa_pkcs1_sha512,
                               rsa_pkcs1_sha384,rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa}],
                          versions => [{3,4},{3,3}],
                          max_handshake_size => 131072,
                          secure_renegotiate => true,fallback => false,
                          cacertfile =>
                              <<"/opt/ejabberd/certs/cnpg-tls/ca.crt">>,
                          early_data => undefined,handshake => full,
                          psk_identity => undefined,
                          max_fragment_length => undefined,
                          crl_cache => {ssl_crl_cache,{internal,[]}},
                          log_level => notice,key_update_at => 388736063997,
                          supported_groups =>
                              {supported_groups,
                                  [x25519,x448,secp256r1,secp384r1]},
                          customize_hostname_check => [],
                          server_name_indication => undefined,
                          reuse_sessions => true,
                          ciphers =>
                              [<<19,2>>,
                               <<19,1>>,
                               <<19,3>>,
                               <<19,4>>,
                               <<19,5>>,
                               <<"À,">>,<<"À0">>,<<"À­">>,<<"À¯">>,<<"À$">>,
                               <<"À(">>,
                               <<204,169>>,
                               <<204,168>>,
                               <<"À+">>,<<"À/">>,<<"À¬">>,<<"À®">>,<<"À.">>,
                               <<"À2">>,<<"À&">>,<<"À*">>,<<"À-">>,<<"À1">>,
                               <<"À#">>,<<"À'">>,<<"À%">>,<<"À)">>,
                               <<0,159>>,
                               <<0,163>>,
                               <<0,107>>,
                               <<0,106>>,
                               <<0,158>>,
                               <<0,162>>,
                               <<204,170>>,
                               <<0,103>>,
                               <<0,64>>,
                               <<"À\n">>,
                               <<192,20>>,
                               <<192,5>>,
                               <<192,15>>,
                               <<"À\t">>,
                               <<192,19>>,
                               <<192,4>>,
                               <<192,14>>,
                               <<0,57>>,
                               <<0,56>>,
                               <<0,51>>,
                               <<0,50>>],
                          use_ticket => undefined,srp_identity => undefined,
                          eccs =>
                              {elliptic_curves,
                                  [{1,3,132,0,39},
                                   {1,3,132,0,38},
                                   {1,3,132,0,35},
                                   {1,3,36,3,3,2,8,1,1,13},
                                   {1,3,132,0,36},
                                   {1,3,132,0,37},
                                   {1,3,36,3,3,2,8,1,1,11},
                                   {1,3,132,0,34},
                                   {1,3,132,0,16},
                                   {1,3,132,0,17},
                                   {1,3,36,3,3,2,8,1,1,7},
                                   {1,3,132,0,10},
                                   {1,2,840,10045,3,1,7}]},
                          verify => verify_peer,
                          partial_chain => #Fun<ssl.5.5938469>,
                          reuse_session => undefined,
                          certs_keys =>
                              [#{certfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>,
                                 keyfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>}]},
                        {socket_options,binary,0,0,0,once},
                        undefined},
                       <0.1515.0>,
                       {gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}},
              {restart_type,temporary},
              {significant,true},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.327646+00:00 [debug] <0.1524.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1524.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1525.0>},
              {id,sender},
              {mfargs,{tls_sender,start_link,[[{spawn_opt,[]}]]}},
              {restart_type,temporary},
              {significant,false},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.327868+00:00 [debug] <0.1524.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1524.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1526.0>},
              {id,receiver},
              {mfargs,
                  {ssl_gen_statem,start_link,
                      [client,<0.1525.0>,
                       {10,40,24,14},
                       5432,#Port<0.241>,
                       {#{signature_algs_cert => undefined,
                          session_tickets => disabled,verify_fun => undefined,
                          user_lookup_fun => undefined,protocol => tls,
                          alpn_advertised_protocols => undefined,
                          crl_check => false,cacerts => undefined,
                          renegotiate_at => 268435456,
                          signature_algs =>
                              [eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,
                               rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                               rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,
                               rsa_pss_rsae_sha256,rsa_pkcs1_sha512,
                               rsa_pkcs1_sha384,rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa}],
                          versions => [{3,4},{3,3}],
                          max_handshake_size => 131072,
                          secure_renegotiate => true,fallback => false,
                          cacertfile =>
                              <<"/opt/ejabberd/certs/cnpg-tls/ca.crt">>,
                          early_data => undefined,handshake => full,
                          psk_identity => undefined,
                          max_fragment_length => undefined,
                          crl_cache => {ssl_crl_cache,{internal,[]}},
                          log_level => notice,key_update_at => 388736063997,
                          supported_groups =>
                              {supported_groups,
                                  [x25519,x448,secp256r1,secp384r1]},
                          customize_hostname_check => [],
                          server_name_indication => undefined,
                          reuse_sessions => true,
                          ciphers =>
                              [<<19,2>>,
                               <<19,1>>,
                               <<19,3>>,
                               <<19,4>>,
                               <<19,5>>,
                               <<"À,">>,<<"À0">>,<<"À­">>,<<"À¯">>,<<"À$">>,
                               <<"À(">>,
                               <<204,169>>,
                               <<204,168>>,
                               <<"À+">>,<<"À/">>,<<"À¬">>,<<"À®">>,<<"À.">>,
                               <<"À2">>,<<"À&">>,<<"À*">>,<<"À-">>,<<"À1">>,
                               <<"À#">>,<<"À'">>,<<"À%">>,<<"À)">>,
                               <<0,159>>,
                               <<0,163>>,
                               <<0,107>>,
                               <<0,106>>,
                               <<0,158>>,
                               <<0,162>>,
                               <<204,170>>,
                               <<0,103>>,
                               <<0,64>>,
                               <<"À\n">>,
                               <<192,20>>,
                               <<192,5>>,
                               <<192,15>>,
                               <<"À\t">>,
                               <<192,19>>,
                               <<192,4>>,
                               <<192,14>>,
                               <<0,57>>,
                               <<0,56>>,
                               <<0,51>>,
                               <<0,50>>],
                          use_ticket => undefined,srp_identity => undefined,
                          eccs =>
                              {elliptic_curves,
                                  [{1,3,132,0,39},
                                   {1,3,132,0,38},
                                   {1,3,132,0,35},
                                   {1,3,36,3,3,2,8,1,1,13},
                                   {1,3,132,0,36},
                                   {1,3,132,0,37},
                                   {1,3,36,3,3,2,8,1,1,11},
                                   {1,3,132,0,34},
                                   {1,3,132,0,16},
                                   {1,3,132,0,17},
                                   {1,3,36,3,3,2,8,1,1,7},
                                   {1,3,132,0,10},
                                   {1,2,840,10045,3,1,7}]},
                          verify => verify_peer,
                          partial_chain => #Fun<ssl.5.5938469>,
                          reuse_session => undefined,
                          certs_keys =>
                              [#{certfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>,
                                 keyfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>}]},
                        {socket_options,binary,0,0,0,once},
                        undefined},
                       <0.1514.0>,
                       {gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}},
              {restart_type,temporary},
              {significant,true},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.328378+00:00 [debug] <0.1528.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1528.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1529.0>},
              {id,sender},
              {mfargs,{tls_sender,start_link,[[{spawn_opt,[]}]]}},
              {restart_type,temporary},
              {significant,false},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.328566+00:00 [debug] <0.1528.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1528.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1530.0>},
              {id,receiver},
              {mfargs,
                  {ssl_gen_statem,start_link,
                      [client,<0.1529.0>,
                       {10,40,24,14},
                       5432,#Port<0.242>,
                       {#{signature_algs_cert => undefined,
                          session_tickets => disabled,verify_fun => undefined,
                          user_lookup_fun => undefined,protocol => tls,
                          alpn_advertised_protocols => undefined,
                          crl_check => false,cacerts => undefined,
                          renegotiate_at => 268435456,
                          signature_algs =>
                              [eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,
                               rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                               rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,
                               rsa_pss_rsae_sha256,rsa_pkcs1_sha512,
                               rsa_pkcs1_sha384,rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa}],
                          versions => [{3,4},{3,3}],
                          max_handshake_size => 131072,
                          secure_renegotiate => true,fallback => false,
                          cacertfile =>
                              <<"/opt/ejabberd/certs/cnpg-tls/ca.crt">>,
                          early_data => undefined,handshake => full,
                          psk_identity => undefined,
                          max_fragment_length => undefined,
                          crl_cache => {ssl_crl_cache,{internal,[]}},
                          log_level => notice,key_update_at => 388736063997,
                          supported_groups =>
                              {supported_groups,
                                  [x25519,x448,secp256r1,secp384r1]},
                          customize_hostname_check => [],
                          server_name_indication => undefined,
                          reuse_sessions => true,
                          ciphers =>
                              [<<19,2>>,
                               <<19,1>>,
                               <<19,3>>,
                               <<19,4>>,
                               <<19,5>>,
                               <<"À,">>,<<"À0">>,<<"À­">>,<<"À¯">>,<<"À$">>,
                               <<"À(">>,
                               <<204,169>>,
                               <<204,168>>,
                               <<"À+">>,<<"À/">>,<<"À¬">>,<<"À®">>,<<"À.">>,
                               <<"À2">>,<<"À&">>,<<"À*">>,<<"À-">>,<<"À1">>,
                               <<"À#">>,<<"À'">>,<<"À%">>,<<"À)">>,
                               <<0,159>>,
                               <<0,163>>,
                               <<0,107>>,
                               <<0,106>>,
                               <<0,158>>,
                               <<0,162>>,
                               <<204,170>>,
                               <<0,103>>,
                               <<0,64>>,
                               <<"À\n">>,
                               <<192,20>>,
                               <<192,5>>,
                               <<192,15>>,
                               <<"À\t">>,
                               <<192,19>>,
                               <<192,4>>,
                               <<192,14>>,
                               <<0,57>>,
                               <<0,56>>,
                               <<0,51>>,
                               <<0,50>>],
                          use_ticket => undefined,srp_identity => undefined,
                          eccs =>
                              {elliptic_curves,
                                  [{1,3,132,0,39},
                                   {1,3,132,0,38},
                                   {1,3,132,0,35},
                                   {1,3,36,3,3,2,8,1,1,13},
                                   {1,3,132,0,36},
                                   {1,3,132,0,37},
                                   {1,3,36,3,3,2,8,1,1,11},
                                   {1,3,132,0,34},
                                   {1,3,132,0,16},
                                   {1,3,132,0,17},
                                   {1,3,36,3,3,2,8,1,1,7},
                                   {1,3,132,0,10},
                                   {1,2,840,10045,3,1,7}]},
                          verify => verify_peer,
                          partial_chain => #Fun<ssl.5.5938469>,
                          reuse_session => undefined,
                          certs_keys =>
                              [#{certfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>,
                                 keyfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>}]},
                        {socket_options,binary,0,0,0,once},
                        undefined},
                       <0.1516.0>,
                       {gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}},
              {restart_type,temporary},
              {significant,true},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.330446+00:00 [debug] <0.1532.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1532.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1533.0>},
              {id,sender},
              {mfargs,{tls_sender,start_link,[[{spawn_opt,[]}]]}},
              {restart_type,temporary},
              {significant,false},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.330715+00:00 [debug] <0.1532.0>@supervisor:report_progress/2:1565 PROGRESS REPORT:
    supervisor: {<0.1532.0>,tls_dyn_connection_sup}
    started: [{pid,<0.1534.0>},
              {id,receiver},
              {mfargs,
                  {ssl_gen_statem,start_link,
                      [client,<0.1533.0>,
                       {10,40,24,14},
                       5432,#Port<0.243>,
                       {#{signature_algs_cert => undefined,
                          session_tickets => disabled,verify_fun => undefined,
                          user_lookup_fun => undefined,protocol => tls,
                          alpn_advertised_protocols => undefined,
                          crl_check => false,cacerts => undefined,
                          renegotiate_at => 268435456,
                          signature_algs =>
                              [eddsa_ed25519,eddsa_ed448,
                               ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                               ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,
                               rsa_pss_pss_sha384,rsa_pss_pss_sha256,
                               rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,
                               rsa_pss_rsae_sha256,rsa_pkcs1_sha512,
                               rsa_pkcs1_sha384,rsa_pkcs1_sha256,
                               {sha512,ecdsa},
                               {sha384,ecdsa},
                               {sha256,ecdsa}],
                          versions => [{3,4},{3,3}],
                          max_handshake_size => 131072,
                          secure_renegotiate => true,fallback => false,
                          cacertfile =>
                              <<"/opt/ejabberd/certs/cnpg-tls/ca.crt">>,
                          early_data => undefined,handshake => full,
                          psk_identity => undefined,
                          max_fragment_length => undefined,
                          crl_cache => {ssl_crl_cache,{internal,[]}},
                          log_level => notice,key_update_at => 388736063997,
                          supported_groups =>
                              {supported_groups,
                                  [x25519,x448,secp256r1,secp384r1]},
                          customize_hostname_check => [],
                          server_name_indication => undefined,
                          reuse_sessions => true,
                          ciphers =>
                              [<<19,2>>,
                               <<19,1>>,
                               <<19,3>>,
                               <<19,4>>,
                               <<19,5>>,
                               <<"À,">>,<<"À0">>,<<"À­">>,<<"À¯">>,<<"À$">>,
                               <<"À(">>,
                               <<204,169>>,
                               <<204,168>>,
                               <<"À+">>,<<"À/">>,<<"À¬">>,<<"À®">>,<<"À.">>,
                               <<"À2">>,<<"À&">>,<<"À*">>,<<"À-">>,<<"À1">>,
                               <<"À#">>,<<"À'">>,<<"À%">>,<<"À)">>,
                               <<0,159>>,
                               <<0,163>>,
                               <<0,107>>,
                               <<0,106>>,
                               <<0,158>>,
                               <<0,162>>,
                               <<204,170>>,
                               <<0,103>>,
                               <<0,64>>,
                               <<"À\n">>,
                               <<192,20>>,
                               <<192,5>>,
                               <<192,15>>,
                               <<"À\t">>,
                               <<192,19>>,
                               <<192,4>>,
                               <<192,14>>,
                               <<0,57>>,
                               <<0,56>>,
                               <<0,51>>,
                               <<0,50>>],
                          use_ticket => undefined,srp_identity => undefined,
                          eccs =>
                              {elliptic_curves,
                                  [{1,3,132,0,39},
                                   {1,3,132,0,38},
                                   {1,3,132,0,35},
                                   {1,3,36,3,3,2,8,1,1,13},
                                   {1,3,132,0,36},
                                   {1,3,132,0,37},
                                   {1,3,36,3,3,2,8,1,1,11},
                                   {1,3,132,0,34},
                                   {1,3,132,0,16},
                                   {1,3,132,0,17},
                                   {1,3,36,3,3,2,8,1,1,7},
                                   {1,3,132,0,10},
                                   {1,2,840,10045,3,1,7}]},
                          verify => verify_peer,
                          partial_chain => #Fun<ssl.5.5938469>,
                          reuse_session => undefined,
                          certs_keys =>
                              [#{certfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>,
                                 keyfile =>
                                     <<"/opt/ejabberd/certs/cnpg-tls/fullchain.pem">>}]},
                        {socket_options,binary,0,0,0,once},
                        undefined},
                       <0.1517.0>,
                       {gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}},
              {restart_type,temporary},
              {significant,true},
              {shutdown,5000},
              {child_type,worker}]

2024-03-19 22:46:03.331255+00:00 [notice] <0.1522.0>@ssl_handshake:path_validation_alert/1:2135 TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure
 - {bad_cert,hostname_check_failed}
2024-03-19 22:46:03.331473+00:00 [warning] <0.446.0>@ejabberd_sql:handle_reconnect/2:491 pgsql connection failed:
** Reason: {tls_alert,
               {handshake_failure,
                   "TLS client: In state wait_cert at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}
** Retry after: 3 seconds

Bug description

I cannot connect to Postgres with sql_ssl_verify: true. I have the above error messages. When I use a simple psql client using the same certificates, it works:

~ $ psql "sslmode=verify-full sslrootcert=/opt/ejabberd/certs/cnpg-tls/ca.crt sslcert=/opt/ejabberd/certs/cnpg-tls/tls.crt sslkey=/opt/ejabberd/certs/cnpg-tls/tls.key host=cnpg-ejabberd-testing-abc port=5432 u
ser=ejabberd dbname=ejabberd"
psql (15.6, server 16.2 (Debian 16.2-1.pgdg110+2))
WARNING: psql major version 15, server major version 16.
         Some psql features might not work.
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

ejabberd=>

Here is the corresponding Postgres error message:

{"level":"info","ts":"2024-03-19T22:49:58Z","logger":"postgres","msg":"record","logging_pod":"cnpg-ejabberd-testing-abc-1","record":{"log_time":"2024-03-19 22:49:58.861 UTC","process_id":"4953","connection_from":"127.0.0.6:47863","session_id":"65fa1696.1359","session_line_num":"1","session_start_time":"2024-03-19 22:49:58 UTC","transaction_id":"0","error_severity":"LOG","sql_state_code":"08P01","message":"could not accept SSL connection: sslv3 alert handshake failure","backend_type":"not initialized","query_id":"0"}}

The CA certificate is PEM encoded. Without the sql_ssl_verify: true option, only presenting the client certificate, it works.

I am not sure if this is a problem on my side with ejabberd or Postgres. I am happy for any advice.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sando38