Postgres Pro
Downloads
Home   >   mailing lists

Re: More SSL crash woes - Mailing list pgsql-general

From Jeff Amiel
Subject Re: More SSL crash woes
Date
Msg-id 47FBCF3B.9020702@istreamimaging.com
Whole thread Raw
In response to Re: More SSL crash woes  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: More SSL crash woes  (Jeff Amiel <jamiel@istreamimaging.com>)
Re: More SSL crash woes  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-general
Tree view 
Tom Lane wrote:
> The previous thread suggested that you might have a problem with
> different bits of code being linked to different versions of libssl.
> Did you ever resolve that?  Given the lack of other reports, I'm
> pretty suspicious that it's something like that, rather than a real
> bug in either slony or PG.
>

# ldd /usr/local/pgsql/bin/postgres
        ...
        libssl.so.0.9.8 =>       /usr/local/ssl/lib/libssl.so.0.9.8
        libcrypto.so.0.9.8 =>    /usr/local/ssl/lib/libcrypto.so.0.9.8
# ldd /usr/local/pgsql/bin/slon
        ...
        libssl.so.0.9.8 =>       /usr/local/ssl/lib/libssl.so.0.9.8
        libcrypto.so.0.9.8 =>    /usr/local/ssl/lib/libcrypto.so.0.9.8

Now their are 2 subscriber nodes that connect to this node for slony
replication...
One is running the same version (libssl 0.9.8e) but one is running
0.9.7e-p1 2.
could this be an issue?

so let's ask what is different between my config and the rest of the
world....

The stack trace actually was one more level deep and the reference to
'output_cert_chain' got me thinking....
#0  0xfee8ec23 in sk_value () from /usr/local/ssl/lib/libcrypto.so.0.9.8
#1  0xfef5b05b in ssl3_output_cert_chain () from
/usr/local/ssl/lib/libssl.so.0.9.8
#2  0x00000000 in ?? ()

Is it unique that I use SSL for encryption but not for authentication?
I have no root.crt (and see the warning in my logs about   "could not
load root certificate file "root.crt": No such file or directory.  Will
not verify client certificates.")
Is this unusual?  Do other people use SSL with postgres JUST for encryption?

Is there something wrong with the way we build/install libssl?
We currently do a pkgadd of the binary from sunfreeware:

/usr/sfw/bin/wget
ftp://ftp.sunfreeware.com/pub/freeware/intel/10/openssl-0.9.8e-sol10-x86-local.gz
gzip -d openssl-0.9.8e-sol10-x86-local.gz
pkgadd -d openssl-0.9.8e-sol10-x86-local

I went back an researched the nearly identical problems we were having
under FreeBSD and the stack trace (using a slightly different/older
version of libssl) looks like a different spot:

(gdb) bt
#0  0x2838e492 in SHA1_Init () from /lib/libcrypto.so.3
#1  0x2838a14a in X509_check_private_key () from /lib/libcrypto.so.3
#2  0x2838a459 in EVP_DigestInit_ex () from /lib/libcrypto.so.3

Any other thoughts?

pgsql-general by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: Cannot use a standalone backend to VACUUM in "postgres""
Next
From: Jeff Amiel
Date:
Subject: Re: More SSL crash woes