Skip site navigation (1) Skip section navigation (2)

Re: pgcrypto seeding problem when ssl=on

From: Marko Kreen <markokr(at)gmail(dot)com>
To: Noah Misch <noah(at)leadboat(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pgcrypto seeding problem when ssl=on
Date: 2013-01-13 21:50:10
Message-ID: CACMqXC+ioKc7o96=mHb8+jBK1iqoupGz14H2D3rkKcOXfrUmkQ@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Fri, Dec 21, 2012 at 10:27 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> How about instead calling RAND_cleanup() after each backend fork?

Attached is a patch that adds RAND_cleanup() to fork_process().
That way all forked processes start with fresh state.  This should
make sure the problem does not happen in any processes
forked by postmaster.

Please backpatch.

...

Alternative is to put RAND_cleanup() to BackendInitialize() so only
new backends start with fresh state.

Another alternative is to put RAND_cleanup() after SSL_accept(),
that way core code sees no change, but other OpenSSL users
in backend operate securely.

-- 
marko

Attachment: rand_cleanup.diff
Description: application/octet-stream (637 bytes)

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2013-01-13 22:46:12
Subject: Re: pgcrypto seeding problem when ssl=on
Previous:From: Tom LaneDate: 2013-01-13 21:43:28
Subject: Re: count(*) of zero rows returns 1

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group