Re: postgres-8.4SS, pg_dump from macosx-10.6 has "ssl handshake error" 26% in

Tom Lane wrote:

> raf <raf(at)raf(dot)org> writes:
> > i'm having a little openssl problem with pg_dump over a wireless
> > lan with postgres-8.4SS (on linux) from enterprisedb and
> > a macosx-10.6 client.
>
> > when i run pg_dump from a wired linux client it's always fine
> > but since i switched from a macosx-10.4 laptop to a
> > macosx-10.6 laptop, every time i run pg_dump from the laptop
> > over the wireless lan, it's fine for a few minutes and then,
> > 26% of the way in, it stalls and never completes.
>
> What this sounds like is you've got an openssl library with deliberately
> broken renegotiate behavior. Google for CVE-2009-3555 to learn
> something about why that might be.
>
> Assuming that "8.4SS" actually means 8.4.3 or later, you can work around
> this by setting ssl_renegotiation_limit to zero in the server. But it'd
> be better to get a copy of libssl with an actual fix, rather than a
> braindead kluge, for the CVE problem.

the latest enterprisedb standard server is only 8.4.1 (New! 13-Oct-09) :-)

> I'm not real sure which of the two ssl libraries you've got is at fault
> (they might both be :-()

both sides are using 0.9.7 so they're both vulnerable.

i can probably replace the server's copy of libssl with a more
recent version. the client end is a bit trickier. it's using
a system libssl but both 0.9.7 and 0.9.8 are present in the
same directory and it's using 0.9.7. no, removing 0.9.7 or
overwriting it with 0.9.8 doesn't work. i didn't think it
would. :)

i think i'll have to switch from enterprisedb's standard
server to the core distribution to get the latest version
which hopefully uses the more recent libssl.

many thanks.

> regards, tom lane

cheers,
raf