LOG: 08P01: could not accept SSL connection: EOF detected

Question

I'm setting up post-quantum cryptography (PQC)-based self-signed certificates for PostgreSQL-16.4, aiming to use PQC KEM and DSA algorithms (specifically Kyber768 for KEM and Dilithium3 for digital signatures). However, I'm encountering the following error in the logs:

LOG:  08P01: could not accept SSL connection: EOF detected
2024-11-06 09:26:26.822 AEDT [80760] LOCATION:  be_tls_open_server, be-secure-openssl.c:523

(base) mandapatisaigautam@Mandapatis-iMac postgresql_certs % psql "sslmode=verify-full sslrootcert=/Users/mandapatisaigautam/postgresql_certs/dilithium3_CA_2.crt sslcert=/Users/mandapatisaigautam/postgresql_certs/new_pqc_client_2.crt sslkey=/Users/mandapatisaigautam/postgresql_certs/new_pqc_client_2.key dbname=postgres host=localhost" Successfully set KEX/KEM group to: kyber768 psql: error: connection to server at "localhost" (127.0.0.1), port 5432 failed: SSL error: no SSL error reported 

I'm using the openssl-3.3.2 and I have activated the PQC in the openssl.conf file.

I've generated and configured self-signed certificates for both the PostgreSQL client and server, following PQC requirements. Despite adjusting my configuration, I can't seem to resolve this EOF issue during SSL handshake initialization. What might be causing this, and how can I troubleshoot or resolve the EOF detected error?

postgresql.conf settings:

listen_addresses = '*'  

# - SSL -

ssl = on
ssl_ca_file = '/Users/mandapatisaigautam/postgresql_certs/dilithium3_CA_2.crt'
ssl_cert_file = '/Users/mandapatisaigautam/postgresql_certs/server_pqc_2.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
ssl_key_file = '/Users/mandapatisaigautam/postgresql_certs/server_pqc_2.key'
ssl_ciphers = 'HIGH:!aNULL' # allowed SSL ciphers
ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
ssl_min_protocol_version = 'TLSv1.2'
ssl_max_protocol_version = 'TLSv1.3'
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off

Code Modifications:

In fe-secure-openssl.c, I added the following code.

if (!SSL_CTX_set1_groups_list(SSL_context, "kyber768") !=1 ) {
        fprintf(stderr, "Failed to set KEX/KEM group: kyber768\n");
        SSL_CTX_free(SSL_context);
        return -1;
    }
    fprintf(stdout, "Successfully set KEX/KEM group to: kyber768\n");

    return 0;

in the be-secure-openssl.c

static bool
initialize_kem(SSL_CTX *context, bool isServerStart)
{
#ifndef OPENSSL_NO_KEM

   
    if (SSL_CTX_set1_groups_list(context, "kyber768") != 1)
    {
        ereport(isServerStart ? FATAL : LOG,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("KEX: could not set key exchange algorithms with specified KEM groups")));
        return false;
    }

    ereport(LOG, (errmsg("KEX: successfully set key exchange algorithms with specified KEM groups")));
#endif

    return true;
}

I have commented out the initialize_ecdh function on the backend.

I expected these configurations and code changes to allow a successful SSL connection using PQC certificates and Kyber768 for KEM. However, the connection fails with the EOF detected error.

What could be causing this EOF error, and what additional steps or troubleshooting measures should I take to address it?

Answer 1

1. Verify the client side ssl configuration. Check if ssl mode is set properly.
2. Check the certificate and permissions.
3. Check ssl versions and campatability.