From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Bastiaan Olij <bastiaan(at)basenlily(dot)me> |
Cc: | pgsql Novice <pgsql-novice(at)postgresql(dot)org> |
Subject: | Re: Backups and SSL |
Date: | 2011-03-01 04:58:10 |
Message-ID: | 26106.1298955490@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-novice |
Bastiaan Olij <bastiaan(at)basenlily(dot)me> writes:
> I was wondering if something ran into this before and has some answers
> to what may have gone wrong here. I set up my local little test server
> to allow for SSL connections only as I was playing around with this.
> I had to restore a copy of a clients database on my machine to look at
> some data and pg_restore kept getting disconnected half way through
> restoring the backup with no explanation. Looking at the postgres logs I
> noticed a couple of entries related to a negotiation error on SSL. Not
> expecting much I changed my pg_hba file to allow for non secure
> connections and was suddenly able to restore this backup.
> I have had no issues with other backups since I switched my little test
> setup to using SSL but I'm eager to find out if this is a known issue
> with SSL and if something can be done about this.
Was this dying after several hundred megabytes pushed across the SSL
connection? If so, it probably is a known issue: many vendors
lobotomized their SSL libraries' handling of renegotiation as a stopgap
solution for the security issue CVE-2009-3555, and not everybody has
adopted a real fix yet. If you are running a reasonably recent version
of PG (one released since 2010-02-25) you can work around this by
setting ssl_renegotiation_limit = 0 in postgresql.conf; but a better fix
would be to update to a non-lobotomized SSL library if possible. Note
that either the client- or server-side SSL library could be at fault.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Nick Raj | 2011-03-01 05:44:28 | Re: Spatio-Temporal Function |
Previous Message | Bastiaan Olij | 2011-03-01 03:01:43 | Backups and SSL |