> -----Original Message----- > From: [EMAIL PROTECTED] On Behalf Of Andrej Podzimek > Sent: Thursday, 09 October, 2008 10:39
> > Might be some STARTTLS equivalent but I'm not sure what it is for that > > application. > > PostgreSQL always listens on one port. This is the only port I > ever used for TCP/IP connections. So there must be something like > STARTTLS, as it can handle both encrypted and unencrypted connections. That would explain why openssl s_client got handshake failure. STARTTLS logic is specific per app protocol and s_client doesn't know postgresql. > > The best I can suggest at this point is modifying OpenSSL or > the application to > > dump out any expired certificates to a temp file so you can see > which one(s) > > it is complaining about. > > That would be helpful. But how could I do that? What file should > I change? Is there a patch/howto? > Can you just run (commandline) openssl s_server on the server, listening on some port of your choice, with at least -showcerts, and openssl s_client on the client to talk to that port, ditto? And for each specifying the right cert/keyfiles, and for s_server -verify 1 since you indicate the real server requires client auth. And if the real programs use a specific protocol (2/3/tls) specify that. This should exercise the same openssl protocol logic as the real client to the real server, but with a nice display. Preferably the commandline on each system should be the same version as the library used by/in the app on that system. > Two more remarks: > 1) Downgraded to h and restarted PostgreSQL today. > (Grrr...) Still the same error. > 2) Just a wild guess, a shot in the dark: Could this be a > locale-related issue? Does OpenSSL use/parse text representations > of dates and times? If so, getting (for example) '9. říj 15.12' > instead of 'Oct 9 15:12' could result in a comparison failure if > not handled properly. (But this is probably not the case. > Presumably, a binary representation (such as epoch) is used...) > The representation in the certificate is the ASN.1 DER encoding, which is all digits except for a +, -, or letter Z for timezone. I wouldn't call it binary exactly -- it's NOT a C-lib time_t, for example -- but it is locale-independent. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
