Hi Christoph, ----- Original Message ----- > From: "Christoph Berg" <c...@df7cb.de> > To: "Chris Butler" <cbut...@zedcore.com> > > Googling for "digest too big for rsa key" seems to indicate that this > problem occurs when you are using (client?) certificates with short > RSA keys. 512 bits is most often cited in the problem reports, > something like 768 is around the minimum size that works, and of > course, anything smaller than 1024 or really 1536 (or 2048) bits is > too small for today's crypto standards. > > So the question here is if this is also the problem you saw - are you > using client or server certificates with short keys?
Yes, that would appear to be the case - the key we're using is only 512 bits. I'll make sure we replace the certificate before re-applying the update (which will probably be after the holidays now). > What this explanation doesn't explain is why the problem occurs with > 9.4's libpq5 while it works with 9.3's. The libssl version used for > building these packages should really be the same, 9.3.5-2.pgdg70+1 > was built just two days ago as well. For info, I can confirm that both libraries are loading the same libssl: zedcore@web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd /usr/lib/x86_64-linux-gnu/libpq.so.5 | grep libssl libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f3e8d898000) zedcore@web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd ./libpq.so.5 | grep libssl libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f5d76176000) I can see a few changes are listed in the 9.4 changelog relating to SSL, so my guess would be one of those changes has altered the behaviour of libssl when presented with a small key. -- Chris Butler Zedcore Systems Ltd Telephone: 0114 303 0666 Direct dial: 0114 303 0572 -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers