[Pkg-postgresql-public] Bug#799663: libpq5: Error opening new ssl connections with postgresql server
Iñigo Belamendia
ibelamendia at enigmedia.es
Wed Sep 23 10:46:45 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Christoph,
Thnx by your response.
We use PosgreSQL 9.1 and OpenSSL 1.0.1e (Debian Wheezy, full details
in the attachment).
On 23/09/15 11:27, Christoph Berg wrote:
> Control: tags -1 moreinfo
>
> Re: Iñigo Belamendia 2015-09-21 <55FFDEB8.7040306 at enigmedia.es>
>> From last monday (Sep 14) our OpenSIPS (1.11.5) dies after a
>> restart. The process starts but after few seconds (10") it goes
>> down. First connections bind correctly but the next ones are
>> rejected. OpenSIPS and PostgreSQL are instaled in diferent vm's.
>>
>> * What led up to the situation? libpq5 package upgrade executed
>> on last monday (Sep 14)
>>
>> * What exactly did you do (or not do) that was effective (or
>> ineffective)? 1. Restoring version 9.1.16-0+deb7u2 # apt-get
>> install libpq5=9.1.16-0+deb7u2 2. granting no-ssl conections in
>> pg_hba.conf Any of the above (1 or 2) fix the problem
>
> Hi Iñigo,
>
> which PostgreSQL server version are you running on the other side
> of that libpq connection? (package, OS, and openssl versions
> please)
>
> There was a change between libpq 9.1.16 and .17 to update the TLS
> versions supported:
>
> commit 2c2c5f0e02b58d225385f5008fb797a90935cb06 Author: Tom Lane
> <tgl at sss.pgh.pa.us> Date: Thu May 21 20:41:55 2015 -0400
>
> Back-patch libpq support for TLS versions beyond v1.
>
> Since 7.3.2, libpq has been coded in such a way that the only SSL
> protocol it would allow was TLS v1. That approach is looking
> increasingly obsolete. In commit 820f08cabdcbb899 we fixed it to
> allow TLS >= v1, but did not back-patch the change at the time,
> partly out of caution and partly because the question was confused
> by a contemporary server-side change to reject the now-obsolete SSL
> protocol v3. 9.4 has now been out long enough that it seems safe
> to assume the change is OK; hence, back-patch into 9.0-9.3.
>
> (I also chose to back-patch some relevant comments added by commit
> 326e1d73c476a0b5, but did *not* change the server behavior; hence,
> pre-9.4 servers will continue to allow SSL v3, even though no
> remotely modern client will request it.)
>
> Per gripe from Jan Bilek.
>
> Christoph
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJWAoMQAAoJENZRGqpRVg16lxkQAK1W9bGbzRRVhJQkVC/YP/q4
tZiASggHE7jkdUfY8VmGJSWWKtor2hApaAZVpXWfSDPeU0BZzbUslXK1A7CyvJQQ
Gs5dy8XeAz58r+4COxnCDEHQ0E8W7QRA9x9gD1c8b/AFUDz9swhrRbPKshH9l47T
bGtJkws8ZaE4YtI6iQ0IsKutPhRqjrsdzmj/wB8iR/nshlH2r1HdXqA82gRUEI7l
eFhhh8Q3PNdP9oyxNJFwbzHHbb1EMM70skHlBGC5IJgjm9PKeau7EheSTZHYZoVQ
LxEGHzE1ZYYslUCH7K+lyU/ANEQdByTQXgUWouHMHLDvqeeYoiHTKQYLYP2H0t0b
kyB0PwQUzPw1tbf0YcGNAZGsqYqv2FCwa447AEIK2ERWQMmaFAjHj0U/w1ScWDXB
IFIiaewnj1O/OLE/fZ7cUBTJ122kcGqpPrqg2Pw/ClC6a2JeamkC8baCkWIfZVwb
eLG1/aJYQFNt/RkAZWNZNy6hzRLRtDxXP3ntdaVAfMoA8cFRKrRB9hTY3leSFBUx
y9TxBrRjPTVSpKcBdCnpR8FgFGAdIioHAP+lpTa50iisrudrsigj5b9e2tXf/4ih
lQYnN4d1wyr01Wcs3eI+TVnY3O5Ic09C5BUU6VjTtoAPKrqkG6KUKCKAf5s5Ouri
WvK49kia/WMbDEns7PWI
=id+H
-----END PGP SIGNATURE-----
-------------- next part --------------
root at dbserver:~# uname -a
Linux dbserver 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u4 x86_64 GNU/Linux
root at dbserver:~# cat /etc/debian_version
7.9
root at dbserver:~# dpkg --list 'postgres*'
Deseado=Desconocido/Instalar/Eliminar/Purgar/Retener
| Estado=No/Instalado/Config-files/Desempaquetado/Medio-conf/Medio-inst/espera-disparo/pendiente-disparo
|/ Err?=(ninguno)/Requiere-reinst (Estado,Err: mayúsc.=malo)
||/ Nombre Versión Arquitectura Descripción
+++-======================================-========================-========================-=================================================================================
ii postgresql 9.1+134wheezy4 all object-relational SQL database (supported version)
un postgresql-7.4 <ninguna> (no hay ninguna descripción disponible)
un postgresql-8.0 <ninguna> (no hay ninguna descripción disponible)
ii postgresql-9.1 9.1.18-0+deb7u1 amd64 object-relational SQL database, version 9.1 server
ii postgresql-9.1-plsh 1.3-5 amd64 PL/sh procedural language for PostgreSQL 9.1
un postgresql-client <ninguna> (no hay ninguna descripción disponible)
ii postgresql-client-9.1 9.1.18-0+deb7u1 amd64 front-end programs for PostgreSQL 9.1
ii postgresql-client-common 134wheezy4 all manager for multiple PostgreSQL client versions
ii postgresql-common 134wheezy4 all PostgreSQL database-cluster manager
ii postgresql-contrib 9.1+134wheezy4 all additional facilities for PostgreSQL (supported version)
ii postgresql-contrib-9.1 9.1.18-0+deb7u1 amd64 additional facilities for PostgreSQL
un postgresql-dev <ninguna> (no hay ninguna descripción disponible)
un postgresql-doc-9.1 <ninguna> (no hay ninguna descripción disponible)
un postgresql-plpython-9.1 <ninguna> (no hay ninguna descripción disponible)
root at dbserver:~# dpkg --list 'openssl*'
Deseado=Desconocido/Instalar/Eliminar/Purgar/Retener
| Estado=No/Instalado/Config-files/Desempaquetado/Medio-conf/Medio-inst/espera-disparo/pendiente-disparo
|/ Err?=(ninguno)/Requiere-reinst (Estado,Err: mayúsc.=malo)
||/ Nombre Versión Arquitectura Descripción
+++-=======================================================================-========================================-========================================-====================================================================================
ii openssl 1.0.1e-2+deb7u17 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
un openssl-blacklist <ninguna> (no hay ninguna descripción disponible)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 799663.txt.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150923/62bb18df/attachment.sig>
More information about the Pkg-postgresql-public
mailing list