Hi Christoph,
----- Original Message -----
> From: "Christoph Berg" <c...@df7cb.de>
> To: "Chris Butler" <cbut...@zedcore.com>
>
> Googling for "digest too big for rsa key" seems to indicate that this
> problem occurs when you are using (client?) certificates with short
> RSA keys. 512 bits is most often cited in the problem reports,
> something like 768 is around the minimum size that works, and of
> course, anything smaller than 1024 or really 1536 (or 2048) bits is
> too small for today's crypto standards.
>
> So the question here is if this is also the problem you saw - are you
> using client or server certificates with short keys?
Yes, that would appear to be the case - the key we're using is only 512 bits.
I'll make sure we replace the certificate before re-applying the update (which
will probably be after the holidays now).
> What this explanation doesn't explain is why the problem occurs with
> 9.4's libpq5 while it works with 9.3's. The libssl version used for
> building these packages should really be the same, 9.3.5-2.pgdg70+1
> was built just two days ago as well.
For info, I can confirm that both libraries are loading the same libssl:
zedcore@web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd
/usr/lib/x86_64-linux-gnu/libpq.so.5 | grep libssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f3e8d898000)
zedcore@web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd ./libpq.so.5 | grep libssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f5d76176000)
I can see a few changes are listed in the 9.4 changelog relating to SSL, so my
guess would be one of those changes has altered the behaviour of libssl when
presented with a small key.
--
Chris Butler
Zedcore Systems Ltd
Telephone: 0114 303 0666
Direct dial: 0114 303 0572
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
