Re: BUG #1321: SSL error: sslv3 alert handshake failure

On Tue, Nov 16, 2004 at 03:01:23PM -0500, Tom Lane wrote:
> "PostgreSQL Bugs List" <pgsql-bugs@postgresql.org> writes:
> > After installing 8.0.0beta4 (previously tried with beta3,2,etc) on a linux
> > system with a working 7.4.x installation I was unable to connect with ssl.
> > Tried compiling with OpenSSL 0.9.7d/e. I used certificates created with
> > OpenSSL 0.9.7d/e that both worked fine with 7.4.x but apparently not so with
> > 8.0.0. Server starts fine, but when I attempt to connect to the server with
> > latest pgadmin or psql (8.0.0beta4 both on the pgfoundry binary for windows
> > and a compiled version on Mandrake Linux) the error is always the same. The
> > error message returned to the client is "SSL error: sslv3 alert handshake
> > failure". The log reports: "could not accept SSL connection: 1".
>
> The only SSL changes between beta3 and beta4 were Magnus' changes to
> make ssl work on Windows, so I'm assuming this is his fault ...

Sounds like a problem due to the backend in recent betas demanding
a client certificate if $PGDATA/root.crt exists, but the client
certificate doesn't exist in ~/.postgresql/postgresql.{crt,key}.

What happens if you remove or rename $PGDATA/root.crt and restart
the backend?  The server should print warnings like the following
but client connections should then succeed:

could not load root certificate file "/usr/local/pgsql/data/root.crt": No such file or directory
Will not verify client certificates.

Or you could install a client certificate and key in the locations
mentioned (~/.postgresql/postgresql.{crt,key}).

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/