Re: Updated libpq5 packages cause connection errors on postgresql 9.2

Hi Christoph,

----- Original Message -----
> From: "Christoph Berg" <cb(at)df7cb(dot)de>
> To: "Chris Butler" <cbutler(at)zedcore(dot)com>
>
> Googling for "digest too big for rsa key" seems to indicate that this
> problem occurs when you are using (client?) certificates with short
> RSA keys. 512 bits is most often cited in the problem reports,
> something like 768 is around the minimum size that works, and of
> course, anything smaller than 1024 or really 1536 (or 2048) bits is
> too small for today's crypto standards.
>
> So the question here is if this is also the problem you saw - are you
> using client or server certificates with short keys?

Yes, that would appear to be the case - the key we're using is only 512 bits. I'll make sure we replace the certificate before re-applying the update (which will probably be after the holidays now).

> What this explanation doesn't explain is why the problem occurs with
> 9.4's libpq5 while it works with 9.3's. The libssl version used for
> building these packages should really be the same, 9.3.5-2.pgdg70+1
> was built just two days ago as well.

For info, I can confirm that both libraries are loading the same libssl:

zedcore(at)web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd /usr/lib/x86_64-linux-gnu/libpq.so.5 | grep libssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f3e8d898000)
zedcore(at)web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd ./libpq.so.5 | grep libssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f5d76176000)

I can see a few changes are listed in the 9.4 changelog relating to SSL, so my guess would be one of those changes has altered the behaviour of libssl when presented with a small key.

--
Chris Butler
Zedcore Systems Ltd

Telephone: 0114 303 0666
Direct dial: 0114 303 0572