Re: Misconfiguration on SSL for download.postgresql.org ?
| От | Laurenz Albe |
|---|---|
| Тема | Re: Misconfiguration on SSL for download.postgresql.org ? |
| Дата | |
| Msg-id | 34ab1ccd6d9fdad0caf20a37eb19edc4f59db1c7.camel@cybertec.at обсуждение исходный текст |
| Список | pgsql-www |
I think this had better go to the pgsql-www list. Yours, Laurenz Albe On Thu, 2023-11-23 at 09:21 +0100, Frank Büttner wrote: > since some day's all our servers can't download updates for the RPM > packages of PostgreSQL. > > Error: > Errors during downloading metadata for repository 'pgdg-common': > - Curl error (35): SSL connect error for > https://download.postgresql.org/pub/repos/yum/common/redhat/rhel-9-x86_64/repodata/repomd.xml > [error:0A000410:SSL routines::sslv3 alert handshake failure] > Fehler: Failed to download metadata for repo 'pgdg-common': Cannot > download repomd.xml: Cannot download repodata/repomd.xml: All mirrors > were tried > > After checking the site via nmap: > nmap -p 443 download.postgresql.org --script ssl-enum-ciphers > > TLSv1.3: > > ciphers: > > TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A > > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A > > TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A > > > I found the problem, the "x25519" ciphers are missing. > > TLSv1.3: > > ciphers: > > TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A > > TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A > > > Which are need on systems where the NIST curves are blocked for security > reasons. > > > So please re enable the x25519 curve.
В списке pgsql-www по дате отправления: