| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Christoph Berg <cb(at)df7cb(dot)de>, Chris Butler <cbutler(at)zedcore(dot)com>, "pgsql-pkg-debian(at)postgresql(dot)org" <pgsql-pkg-debian(at)postgresql(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Updated libpq5 packages cause connection errors on postgresql 9.2 |
| Date: | 2014-12-19 12:08:18 |
| Message-ID: | CABUevEzDx-4tHkpQjB4E3Tdq54_TqCf40u+YZL6-Rda0uWQDpw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-pkg-debian |
On Fri, Dec 19, 2014 at 11:52 AM, Christoph Berg <cb(at)df7cb(dot)de> wrote:
>
> Re: Chris Butler 2014-12-19 <
> 1155204201(dot)65430(dot)1418975376728(dot)JavaMail(dot)zimbra(at)zedcore(dot)com>
> > One of our servers is currently running on postgres 9.2 using the
> 9.2.9-1.pgdg70+1 packages from pgdg.
> >
> > After an apt update this morning which brought in the libpq5 package
> version 9.4.0-1.pgdg70+1, connections to the database started failing with
> SSL errors logged on the server:
> >
> > [unknown] [unknown] LOG: could not accept SSL connection: digest too
> big for rsa key
> >
> > Rolling back the server and client to libpq5 version 9.3.5-2.pgdg70+1
> fixed it.
> >
> > This is running on an otherwise up-to-date Debian Wheezy. The SSL
> certificate is locally issued using an internal CA which has been added to
> the local trust store. SSL-related config options are left set to the
> defaults.
>
> Hi Chris,
>
> thanks for the report.
>
> Googling for "digest too big for rsa key" seems to indicate that this
> problem occurs when you are using (client?) certificates with short
> RSA keys. 512 bits is most often cited in the problem reports,
> something like 768 is around the minimum size that works, and of
> course, anything smaller than 1024 or really 1536 (or 2048) bits is
> too small for today's crypto standards.
>
> So the question here is if this is also the problem you saw - are you
> using client or server certificates with short keys?
>
> What this explanation doesn't explain is why the problem occurs with
> 9.4's libpq5 while it works with 9.3's. The libssl version used for
> building these packages should really be the same, 9.3.5-2.pgdg70+1
> was built just two days ago as well.
>
> I'm CCing -hackers, maybe someone there has an idea.
>
Some googling shows that this could be because it's negotiating TLS 1.2
which the key is just too small for. And we did change that in 9.4 - commit
326e1d73c476a0b5061ef00134bdf57aed70d5e7 disabled SSL in favor of always
using TLS for security reasons.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2014-12-19 12:17:15 | Re: [COMMITTERS] pgsql: Keep track of transaction commit timestamps |
| Previous Message | Alvaro Herrera | 2014-12-19 12:06:56 | Re: Role Attribute Bitmask Catalog Representation |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-12-19 14:57:55 | Re: [HACKERS] Re: Updated libpq5 packages cause connection errors on postgresql 9.2 |
| Previous Message | Chris Butler | 2014-12-19 11:16:14 | Re: Updated libpq5 packages cause connection errors on postgresql 9.2 |