0

I specify the configuration as TLSv1.2 and it still resorts to TLSv1.3. The configurations are listed below.

server_tls_protocols = tlsv1.2
server_tls_sslmode = verify-ca

Log:

SSL established:  TLSv1.3/TLS_AES_256_GCM_SHA384/ECDH=prime256v1

I get this error in the logs as well :

2020-10-01 10:30:45.291 2319 WARNING tls_sbufio_recv: unexpected handshake, closing connection
2020-10-01 10:30:45.291 2319 LOG S-0x56286f074d60: test/test@xxx.xx.xx.xxx:5432 closing because: server conn crashed? (age=0)

Openssl version : 1.1.1 Pgbouncer version : 1.8.1

Is there something simple I'm missing here? I understand TLSv1.3 doesn't work with openssl 1.1.1 but up until a couple of days back it succeeded using TLSv1.2. I have the list of available ciphers accepted by the Postgres server as well. Hardcoding them in server_tls_ciphers doesn't help the case either. Is there a way to make it communicate with TLSv1.2?

scarvish
  • 58
  • 1
  • 7
  • 1.8.1 is pretty old. Did you try a newer version? (I can't replicate with 1.12.0). What is your OS, package manager, and version of postgresql? – jjanes Oct 01 '20 at 23:19
  • Hey jjanes, thanks for the reply. Yeah, the problem is I can't upgrade to a new version of pgbouncer as I am reliant on another ubuntu repository which isn't managed by me. OS : Ubuntu 18 Package manager : apt Postgresql version : 9.5 If I set server_tls_protocols as TLSv1.2 it shouldn't fall back to TLSv1.3 right? That's where my confusion is. – scarvish Oct 03 '20 at 17:30
  • To be clear, I didn't replicate it with 1.8.1 either but that just might be because I didn't try to, as I don't have ready access to it. What repository are you using with apt? Is it a proprietary one? – jjanes Oct 03 '20 at 18:51
  • Yeah, I understand. Upgrading it will most likely help, but it is a proprietary repository. I'm just thinking if there was some kind of ciphers that the postgres server stopped supporting, but that didn't lead me anywhere too. – scarvish Oct 03 '20 at 19:33
  • Hey @jjanes are you aware of the "server_tls_protocols" parameter in the config file? Do you have any idea why its resorting to TLSv1.3 if TLSv1.2 is specified? Ideally it should mean only use TLSv1.2 right? I think that's the crux of my problem, is this a bug in 1.8 version of pgbouncer? – scarvish Oct 05 '20 at 13:21
  • Yes, I self-compiled them now and it looks like a bug in 1.8 and 1.9, fixed in 1.10. – jjanes Oct 05 '20 at 15:49

0 Answers0