[Pkg-postgresql-public] Bug#799663: libpq5: Error opening new ssl connections with postgresql server

Christoph Berg myon at debian.org
Wed Sep 23 09:27:19 UTC 2015


Control: tags -1 moreinfo

Re: Iñigo Belamendia 2015-09-21 <55FFDEB8.7040306 at enigmedia.es>
> From last monday (Sep 14) our OpenSIPS (1.11.5) dies after a restart.
> The process starts but after few seconds (10") it goes down. First
> connections bind correctly but the next ones are rejected. OpenSIPS
> and PostgreSQL are instaled in diferent vm's.
> 
> * What led up to the situation?
> libpq5 package upgrade executed on last monday (Sep 14)
> 
> * What exactly did you do (or not do) that was effective (or ineffective)?
> 1. Restoring version 9.1.16-0+deb7u2
> # apt-get install libpq5=9.1.16-0+deb7u2
> 2. granting no-ssl conections in pg_hba.conf
> Any of the above (1 or 2) fix the problem

Hi Iñigo,

which PostgreSQL server version are you running on the other side of
that libpq connection? (package, OS, and openssl versions please)

There was a change between libpq 9.1.16 and .17 to update the TLS
versions supported:

commit 2c2c5f0e02b58d225385f5008fb797a90935cb06
Author: Tom Lane <tgl at sss.pgh.pa.us>
Date:   Thu May 21 20:41:55 2015 -0400

    Back-patch libpq support for TLS versions beyond v1.
    
    Since 7.3.2, libpq has been coded in such a way that the only SSL protocol
    it would allow was TLS v1.  That approach is looking increasingly obsolete.
    In commit 820f08cabdcbb899 we fixed it to allow TLS >= v1, but did not
    back-patch the change at the time, partly out of caution and partly because
    the question was confused by a contemporary server-side change to reject
    the now-obsolete SSL protocol v3.  9.4 has now been out long enough that
    it seems safe to assume the change is OK; hence, back-patch into 9.0-9.3.
    
    (I also chose to back-patch some relevant comments added by commit
    326e1d73c476a0b5, but did *not* change the server behavior; hence, pre-9.4
    servers will continue to allow SSL v3, even though no remotely modern
    client will request it.)
    
    Per gripe from Jan Bilek.

Christoph
-- 
cb at df7cb.de | http://www.df7cb.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150923/e4cb32a0/attachment.sig>


More information about the Pkg-postgresql-public mailing list