Skip site navigation (1) Skip section navigation (2)

Recent vendor SSL renegotiation patches break PostgreSQL

From: Chris Campbell <chris_campbell(at)mac(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Recent vendor SSL renegotiation patches break PostgreSQL
Date: 2010-02-03 11:24:30
Message-ID: 2856B4E0-4CDC-41F6-BF9C-9473FFAEE8CB@mac.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Greetings, hackers!

The flurry of patches that vendors have recently been making to OpenSSL to address the potential man-in-the-middle attack during SSL renegotiation have disabled SSL renegotiation altogether in the OpenSSL libraries. Applications that make use of SSL renegotiation, such as PostgreSQL, start failing.

I’ve noticed such failures on Mac OS X 10.6.2 after installing Security Update 2010-001 (which is when Apple distributed their OpenSSL patch):

    http://support.apple.com/kb/HT4004

> OpenSSL
> 
> CVE-ID: CVE-2009-3555
> 
> Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
> 
> Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL
> 
> Description: A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available at http://www.phonefactor.com/sslgap A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure.

After installing Security Update 2010-001, any libpq connection to the server that exchanges more than 512MB of data (the RENEGOTIATION_LIMIT defined in src/backend/libpq/be-secure.c) will trigger an SSL renegotiation, which fails, which disconnects the client. I observed the problem on both PostgreSQL 8.1.19 and PostgreSQL 8.4.2 (those are the only versions I have in production).

I have been working around the problem by disabling SSL renegotiation entirely in my PostgreSQL servers, commenting out lines 316-339 in src/backend/libpq/be-secure.c.

There have been reports of such SSL-related breakage on other platforms, too:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560205

Thanks! Happy hacking!

- Chris


Responses

pgsql-hackers by date

Next:From: Greg StarkDate: 2010-02-03 11:53:58
Subject: Re: [HACKERS] Re: Faster CREATE DATABASE by delaying fsync (was 8.4.1 ubuntu karmic slow createdb)
Previous:From: Heikki LinnakangasDate: 2010-02-03 10:50:06
Subject: Re: Re: [COMMITTERS] pgsql: Write a WAL record whenever we perform an operation without

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group