Greetings, hackers!
The flurry of patches that vendors have recently been making to OpenSSL to address the potential man-in-the-middle
attackduring SSL renegotiation have disabled SSL renegotiation altogether in the OpenSSL libraries. Applications that
makeuse of SSL renegotiation, such as PostgreSQL, start failing.
I’ve noticed such failures on Mac OS X 10.6.2 after installing Security Update 2010-001 (which is when Apple
distributedtheir OpenSSL patch):
http://support.apple.com/kb/HT4004
> OpenSSL
>
> CVE-ID: CVE-2009-3555
>
> Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
>
> Impact: An attacker with a privileged network position may capture data or change the operations performed in
sessionsprotected by SSL
>
> Description: A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available
athttp://www.phonefactor.com/sslgap A change to the renegotiation protocol is underway within the IETF. This update
disablesrenegotiation in OpenSSL as a preventive security measure.
After installing Security Update 2010-001, any libpq connection to the server that exchanges more than 512MB of data
(theRENEGOTIATION_LIMIT defined in src/backend/libpq/be-secure.c) will trigger an SSL renegotiation, which fails, which
disconnectsthe client. I observed the problem on both PostgreSQL 8.1.19 and PostgreSQL 8.4.2 (those are the only
versionsI have in production).
I have been working around the problem by disabling SSL renegotiation entirely in my PostgreSQL servers, commenting out
lines316-339 in src/backend/libpq/be-secure.c.
There have been reports of such SSL-related breakage on other platforms, too:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560205
Thanks! Happy hacking!
- Chris
