Greetings, hackers!
The flurry of patches that vendors have recently been making to OpenSSL to
address the potential man-in-the-middle attack during SSL renegotiation have
disabled SSL renegotiation altogether in the OpenSSL libraries. Applications
that make use of SSL renegotiation, such as PostgreSQL, start failing.
I’ve noticed such failures on Mac OS X 10.6.2 after installing Security Update
2010-001 (which is when Apple distributed their OpenSSL patch):
http://support.apple.com/kb/HT4004
> OpenSSL
>
> CVE-ID: CVE-2009-3555
>
> Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2,
> Mac OS X Server v10.6.2
>
> Impact: An attacker with a privileged network position may capture data or
> change the operations performed in sessions protected by SSL
>
> Description: A man-in-the-middle vulnerability exists in the SSL and TLS
> protocols. Further information is available at
> http://www.phonefactor.com/sslgap A change to the renegotiation protocol is
> underway within the IETF. This update disables renegotiation in OpenSSL as a
> preventive security measure.
After installing Security Update 2010-001, any libpq connection to the server
that exchanges more than 512MB of data (the RENEGOTIATION_LIMIT defined in
src/backend/libpq/be-secure.c) will trigger an SSL renegotiation, which fails,
which disconnects the client. I observed the problem on both PostgreSQL 8.1.19
and PostgreSQL 8.4.2 (those are the only versions I have in production).
I have been working around the problem by disabling SSL renegotiation entirely
in my PostgreSQL servers, commenting out lines 316-339 in
src/backend/libpq/be-secure.c.
There have been reports of such SSL-related breakage on other platforms, too:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560205
Thanks! Happy hacking!
- Chris
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
