11

I am trying to connect to my PostgreSQL server on AWS using SSL from the OpenSSL s_client on XP. I can connect to a third party using this s_client. On both the server and XP, I am using openssl version 0.9.8.k.

When I try to connect to my server, I get the result:

CONNECTED(00000003) 2036:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188 :

In the Postgres log, I see the entry:

2009-10-30 13:58:08 UTC LOG: invalid length of startup packet

I'd appreciate any suggestions about where to look to get this working. Maybe there is a public AWS image I can look at on which PostgreSQL is known to work?

Mitch
  • 291
  • 1
  • 4
  • 7

3 Answers3

21

You didn't specify why you wanted to use s_client.

If it is to interact with the database, any decent client will do. psql can be called with the sslmode=require option. See man psql.

If it is to check the SSL certificate (which is why I came across your question), it still doesn't work with s_client as Magnus pointed out 7 years ago. you can now do it with openssl s_client if you have a version >= 1.1.1, as pointed out in the answer of Adam Batkin. Use openssl version to check, or just directly try this command to see if it works. 

echo "" | openssl s_client -starttls postgres -connect EXAMPLE.COM:5432 -showcerts

If you have an older version which doesn't support postgres, this python script can also retrieve the SSL certificate: https://github.com/thusoy/postgres-mitm/blob/master/postgres_get_server_cert.py

For example to check certificate dates:

postgres_get_server_cert.py example.com:5432 | openssl x509 -noout -dates
mivk
  • 4,004
  • 3
  • 37
  • 32
  • 2
    Those on a recent version of macOS will need to use one installed with homebrew; the version of `openssl` that comes installed doesn't support the `postgres` option – BrDaHa Apr 14 '20 at 17:20
8

You cannot use s_client. PostgreSQL does protocol negotiation before SSL is started (to figure out if it should do SSL or not, since they both run on the same port). You need to use a proper PostgreSQL client (such as psql or pgadmin, for example), not s_client.

Magnus Hagander
  • 2,287
  • 15
  • 9
  • This helped me understand why it wasn't working. Things have changed since this answer, and the next question explains how to do it with s_client now. – Daniel Nalbach Apr 01 '21 at 23:33
8

It looks like OpenSSL's s_client tool added Postgres support using the -starttls in 1.1.1, so you can now use the full power of OpenSSL's command line tools without additional helper scripts:

> openssl s_client -starttls postgres -connect my.postgres.host:5432 # etc...

References:

BrDaHa
  • 105
  • 4
Adam Batkin
  • 387
  • 4
  • 12
  • 1
    Thank you, this is exactly what I needed to check an AWS RDS Postgres instance from an EC2 after forcing ssl. – Daniel Nalbach Apr 01 '21 at 23:24
  • Protocol 'postgres' isn't available on my MacOS. openssl version LibreSSL 2.8.3. I had to fire up a vagrant box (oracle-linux) and go with OpenSSL. openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021. That worked! – Bjarte Brandt Jan 13 '23 at 15:15