[Pkg-postgresql-public] Bug#799663: libpq5: Error opening new ssl connections with postgresql server

Iñigo Belamendia ibelamendia at enigmedia.es
Wed Sep 23 10:46:45 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Christoph,

Thnx by your response.

We use PosgreSQL 9.1 and OpenSSL 1.0.1e (Debian Wheezy, full details
in the attachment).

On 23/09/15 11:27, Christoph Berg wrote:
> Control: tags -1 moreinfo
> 
> Re: Iñigo Belamendia 2015-09-21 <55FFDEB8.7040306 at enigmedia.es>
>> From last monday (Sep 14) our OpenSIPS (1.11.5) dies after a
>> restart. The process starts but after few seconds (10") it goes
>> down. First connections bind correctly but the next ones are
>> rejected. OpenSIPS and PostgreSQL are instaled in diferent vm's.
>> 
>> * What led up to the situation? libpq5 package upgrade executed
>> on last monday (Sep 14)
>> 
>> * What exactly did you do (or not do) that was effective (or
>> ineffective)? 1. Restoring version 9.1.16-0+deb7u2 # apt-get
>> install libpq5=9.1.16-0+deb7u2 2. granting no-ssl conections in
>> pg_hba.conf Any of the above (1 or 2) fix the problem
> 
> Hi Iñigo,
> 
> which PostgreSQL server version are you running on the other side
> of that libpq connection? (package, OS, and openssl versions
> please)
> 
> There was a change between libpq 9.1.16 and .17 to update the TLS 
> versions supported:
> 
> commit 2c2c5f0e02b58d225385f5008fb797a90935cb06 Author: Tom Lane
> <tgl at sss.pgh.pa.us> Date:   Thu May 21 20:41:55 2015 -0400
> 
> Back-patch libpq support for TLS versions beyond v1.
> 
> Since 7.3.2, libpq has been coded in such a way that the only SSL
> protocol it would allow was TLS v1.  That approach is looking
> increasingly obsolete. In commit 820f08cabdcbb899 we fixed it to
> allow TLS >= v1, but did not back-patch the change at the time,
> partly out of caution and partly because the question was confused
> by a contemporary server-side change to reject the now-obsolete SSL
> protocol v3.  9.4 has now been out long enough that it seems safe
> to assume the change is OK; hence, back-patch into 9.0-9.3.
> 
> (I also chose to back-patch some relevant comments added by commit 
> 326e1d73c476a0b5, but did *not* change the server behavior; hence,
> pre-9.4 servers will continue to allow SSL v3, even though no
> remotely modern client will request it.)
> 
> Per gripe from Jan Bilek.
> 
> Christoph
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJWAoMQAAoJENZRGqpRVg16lxkQAK1W9bGbzRRVhJQkVC/YP/q4
tZiASggHE7jkdUfY8VmGJSWWKtor2hApaAZVpXWfSDPeU0BZzbUslXK1A7CyvJQQ
Gs5dy8XeAz58r+4COxnCDEHQ0E8W7QRA9x9gD1c8b/AFUDz9swhrRbPKshH9l47T
bGtJkws8ZaE4YtI6iQ0IsKutPhRqjrsdzmj/wB8iR/nshlH2r1HdXqA82gRUEI7l
eFhhh8Q3PNdP9oyxNJFwbzHHbb1EMM70skHlBGC5IJgjm9PKeau7EheSTZHYZoVQ
LxEGHzE1ZYYslUCH7K+lyU/ANEQdByTQXgUWouHMHLDvqeeYoiHTKQYLYP2H0t0b
kyB0PwQUzPw1tbf0YcGNAZGsqYqv2FCwa447AEIK2ERWQMmaFAjHj0U/w1ScWDXB
IFIiaewnj1O/OLE/fZ7cUBTJ122kcGqpPrqg2Pw/ClC6a2JeamkC8baCkWIfZVwb
eLG1/aJYQFNt/RkAZWNZNy6hzRLRtDxXP3ntdaVAfMoA8cFRKrRB9hTY3leSFBUx
y9TxBrRjPTVSpKcBdCnpR8FgFGAdIioHAP+lpTa50iisrudrsigj5b9e2tXf/4ih
lQYnN4d1wyr01Wcs3eI+TVnY3O5Ic09C5BUU6VjTtoAPKrqkG6KUKCKAf5s5Ouri
WvK49kia/WMbDEns7PWI
=id+H
-----END PGP SIGNATURE-----
-------------- next part --------------
root at dbserver:~# uname -a
Linux dbserver 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u4 x86_64 GNU/Linux

root at dbserver:~# cat /etc/debian_version 
7.9

root at dbserver:~# dpkg --list 'postgres*'
Deseado=Desconocido/Instalar/Eliminar/Purgar/Retener
| Estado=No/Instalado/Config-files/Desempaquetado/Medio-conf/Medio-inst/espera-disparo/pendiente-disparo
|/ Err?=(ninguno)/Requiere-reinst (Estado,Err: mayúsc.=malo)
||/ Nombre                                 Versión                 Arquitectura             Descripción
+++-======================================-========================-========================-=================================================================================
ii  postgresql                             9.1+134wheezy4           all                      object-relational SQL database (supported version)
un  postgresql-7.4                         <ninguna>                                         (no hay ninguna descripción disponible)
un  postgresql-8.0                         <ninguna>                                         (no hay ninguna descripción disponible)
ii  postgresql-9.1                         9.1.18-0+deb7u1          amd64                    object-relational SQL database, version 9.1 server
ii  postgresql-9.1-plsh                    1.3-5                    amd64                    PL/sh procedural language for PostgreSQL 9.1
un  postgresql-client                      <ninguna>                                         (no hay ninguna descripción disponible)
ii  postgresql-client-9.1                  9.1.18-0+deb7u1          amd64                    front-end programs for PostgreSQL 9.1
ii  postgresql-client-common               134wheezy4               all                      manager for multiple PostgreSQL client versions
ii  postgresql-common                      134wheezy4               all                      PostgreSQL database-cluster manager
ii  postgresql-contrib                     9.1+134wheezy4           all                      additional facilities for PostgreSQL (supported version)
ii  postgresql-contrib-9.1                 9.1.18-0+deb7u1          amd64                    additional facilities for PostgreSQL
un  postgresql-dev                         <ninguna>                                         (no hay ninguna descripción disponible)
un  postgresql-doc-9.1                     <ninguna>                                         (no hay ninguna descripción disponible)
un  postgresql-plpython-9.1                <ninguna>                                         (no hay ninguna descripción disponible)

root at dbserver:~# dpkg --list 'openssl*'
Deseado=Desconocido/Instalar/Eliminar/Purgar/Retener
| Estado=No/Instalado/Config-files/Desempaquetado/Medio-conf/Medio-inst/espera-disparo/pendiente-disparo
|/ Err?=(ninguno)/Requiere-reinst (Estado,Err: mayúsc.=malo)
||/ Nombre                                                                  Versión                                 Arquitectura                             Descripción
+++-=======================================================================-========================================-========================================-====================================================================================
ii  openssl                                                                 1.0.1e-2+deb7u17                         amd64                                    Secure Socket Layer (SSL) binary and related cryptographic tools
un  openssl-blacklist                                                       <ninguna>                                                                         (no hay ninguna descripción disponible)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 799663.txt.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150923/62bb18df/attachment.sig>


More information about the Pkg-postgresql-public mailing list