0
  • PostgreSQL 9.4.6
  • OpenSSL 1.0.2f

If my server or client certificate use SHA256, I get the following error on the client:

psql: SSL error: tlsv1 alert decrypt error

And the following log message on the server:

LOG: could not accept SSL connection: unknown message digest algorithm

If I generate the client key with SHA1, it works fine:

openssl x509 -req -in user.csr -CA root.crt -CAkey server.key -out user.crt -CAcreateserial -days 365 -sha1

How can I get it to work with SHA256?

asked Feb 23, 2016 at 14:10
3
  • Do you set pg_hba.conf correctly? If this file is set correctly, i think it is a problem of openssl library, because the log message unknown message digest algorithm is written by ssl lib. Commented Feb 23, 2016 at 15:56
  • Yes if I use sha1 certs without changing pg_hba.conf it works fine. Commented Feb 23, 2016 at 15:57
  • Here is the source code of postgres. line 390 generates your log message. More precisely, SSLerrmessage (line 958) creates that message by calling the openssl's function ERR_reason_error_string. Therefore postgres only returns the openssl's error message. On the other words, (i think) the problem has occured on the openssl layer. Commented Feb 23, 2016 at 16:14

1 Answer 1

0

This can happen if PostgreSQL is compiled against an older version of openssl than the version used to generate the keys.

Recompiling with the correct openssl library fixes the problem.

answered Mar 31, 2016 at 17:26

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.