Skip site navigation (1) Skip section navigation (2)

More SSL patches

From: Nathan Mueller <nmueller(at)cs(dot)wisc(dot)edu>
To: pgsql-bugs(at)postgresql(dot)org
Subject: More SSL patches
Date: 2002-12-23 07:19:16
Message-ID: 1040627956.3e06b8f4c2611@www-auth.cs.wisc.edu (view raw or flat)
Thread:
Lists: pgsql-bugs
I was playing around with 7.3.1 and found some more SSL problems.  The first,
that I missed when checking over 7.3.1, was that the client method was switched
to SSLv23 along with the server.  The SSLv23 client method does SSLv2 by
default, but can also understand SSLv3.  In our situation the SSLv2 backwords
compatibility is really only needed on the server.  This is the first patch.

The second was that renegotiation was just plain broken.  I can't believe I
didn't notice this before -- once 64k was sent to/from the server the client
would crash.  Basicly, in 7.3 the server SSL code set the initial state to
"about to renegotiate" without actually starting the renegotiation.  In
addition, the server and client didn't properly handle the
SSL_ERROR_WANT_(READ|WRITE) error.  This is fixed in the second patch.

The last thing is that I found a way for the server to understand SSLv2 HELLO
messages (sent by pre-7.3 clients) but then get them to talk SSLv3.  This is the
last one.

Hopefully this is the end of the SSL fixes.  I've ran some pretty heavy stress
tests against a patched installation and I haven't noticed any problems yet. 
Then again, I didn't notice the renegotiation problems until yesterday...

      --Nate


Attachment: sslpatch.3
Description: application/octet-stream (633 bytes)
Attachment: sslpatch.2
Description: application/octet-stream (4.7 KB)
Attachment: sslpatch.1
Description: application/octet-stream (521 bytes)

Responses

pgsql-bugs by date

Next:From: pgsql-bugsDate: 2002-12-24 21:28:50
Subject: Bug #854: configure file and tcl/tk
Previous:From: Bruce MomjianDate: 2002-12-21 04:45:19
Subject: Re: Bug #853: Software unavailable on any US mirror

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group