Re: Bug #838: SSL problems in 7.3

I am glad you found out the cause of your problems.

I am reluctant to apply this patch because the original author
recommended TLSv1 specifically because it was more secure, especially
compared to SSLv2.

There was a conscious decision in 7.3 to require only 7.3 clients when
using SSL. I don't remember how many people were involved in that
discussion, but I know it was made. In fact, there was so much new SSL
code in 7.3, I suspected we couldn't even make it work with pre-7.2
clients. I am surprised it works with your small change.

On the issue of checking if SSL_read() has returned -1, is that standard
OpenSSL coding practice that even if SSL_get_error() returns an error,
you have to check the SSL_read() return value too?

---------------------------------------------------------------------------

Nathan Mueller wrote:
> > tested it with openssl 0.9.6e and it worked on BSD/OS 4.2. The author
> > is only involved intermittently. I worked with him to get it
> > working on
> > 7.3. It is certainly possible there are other bugs in there.
>
> Slow night so I learned a little about SSL and figured this out. The
> following patch does two things.
>
> First it switches the ssl method back to SSLv23 so pre-7.3 SSL clients
> will work with new databases. I made the switch in both the client and
> the server, but the server change is all you really need. The second is
> to ignore the SSL syscall error when n is 0 since that means EOF.
>
> This fixes both of my problems, hope it works for everyone else too.
>
> --Nate
>
> diff -ur postgresql-7.3/src/backend/libpq/be-secure.c
> postgresql-7.3.patched/src/backend/libpq/be-secure.c
> --- postgresql-7.3/src/backend/libpq/be-secure.c Thu Nov 7 12:47:08 2002
> +++ postgresql-7.3.patched/src/backend/libpq/be-secure.c Mon Dec 9
> 23:47:45 2002
> @@ -288,7 +288,8 @@
> case SSL_ERROR_WANT_READ:
> break;
> case SSL_ERROR_SYSCALL:
> - elog(ERROR, "SSL SYSCALL error: %s",
> strerror(errno));
> + if (n == -1)
> + elog(ERROR, "SSL SYSCALL error: %s",
> strerror(errno));
> break;
> case SSL_ERROR_SSL:
> elog(ERROR, "SSL error: %s",
> SSLerrmessage());
> @@ -585,7 +586,7 @@
> {
> SSL_library_init();
> SSL_load_error_strings();
> - SSL_context = SSL_CTX_new(TLSv1_method());
> + SSL_context = SSL_CTX_new(SSLv23_method());
> if (!SSL_context)
> {
> postmaster_error("failed to create SSL
> context: %s",
> diff -ur postgresql-7.3/src/interfaces/libpq/fe-secure.c
> postgresql-7.3.patched/src/interfaces/libpq/fe-secure.c
> --- postgresql-7.3/src/interfaces/libpq/fe-secure.c Thu Nov 7
> 12:47:08 2002
> +++ postgresql-7.3.patched/src/interfaces/libpq/fe-secure.c Mon Dec 9
> 23:42:40 2002
> @@ -712,7 +712,7 @@
> {
> SSL_library_init();
> SSL_load_error_strings();
> - SSL_context = SSL_CTX_new(TLSv1_method());
> + SSL_context = SSL_CTX_new(SSLv23_method());
> if (!SSL_context)
> {
> printfPQExpBuffer(&conn->errorMessage,
> Only in postgresql-7.3.patched/src/interfaces/libpq: fe-secure.c~
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073