Re: BUG #14893: libpq SSL ClientHello too long, no option to set ciphers or affect cipher list length

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: minfrin(at)sharp(dot)fm
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #14893: libpq SSL ClientHello too long, no option to set ciphers or affect cipher list length
Date: 2017-11-09 16:39:16
Message-ID: 25136.1510245556@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

minfrin(at)sharp(dot)fm writes:
> I am having trouble on an Ubuntu Xenial machine where the out-the-box psql
> refuses to connect to the out-the-box postgresql over SSL. The same setup
> worked on Ubuntu Trusty.

> Debugging reveals that the cipher list sent by the libpg client is too long
> (greater than 255 bytes), and this causes the postgresql server to slam down
> the phone, or it derails the client side enough that a bogus message "tlsv1
> alert unknown ca" is returned by the client.

This seems like an OpenSSL bug, not a Postgres bug. libpq doesn't do
anything that determines cipher lists.

regards, tom lane

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message tfredy02 2017-11-09 19:48:46 BUG #14894: Data Type Money
Previous Message Pavel Stehule 2017-11-09 15:11:46 Re: Help me plz