Thread: Connnection to SSL enabled server

Connnection to SSL enabled server

From
timothy.r.morley@kc.frb.org
Date:
<br /><font face="sans-serif" size="2">I am running PostgreSQL 7.3.4 server with SSL enabled.  I have the server
configuredto only accept SSL connections from various hosts.  I am using pgadmin3-1.1 on RedHat 9 and I can connect to
mySSL enabled Pg server just fine.  The information pane in pgadmin3 tells me I have an SSL connection to the server.
 Ican open up the graphic query tool and type in my query.  As soon as I click the 'Execute query' button pgadmin3
crashes. When I run pgadmin3 using gdb I get the following output from gdb after I click the 'Execute query'
button:</font><br/><br /><font face="sans-serif" size="2">Program received signal SIGSEGV, Segmentation
fault.</font><br/><font face="sans-serif" size="2">[Switching to Thread 1094126896 (LWP 4597)]</font><br /><font
face="sans-serif"size="2">0x400b603f in CRYPTO_lock () from /lib/libcrypto.so.4</font><br /><br /><font
face="sans-serif"size="2">I'm using the RedHat 9 rpm from the pgadmin site and have even tried using the nightly build
fromOctober 29, 2003 with the same result.  I have another PostgreSQL 7.3.4 server that is not SSL enabled and I can
usepgadmin3 just fine with that configuration.</font><br /><br /><font face="sans-serif" size="2">I built the SSL
enabledserver from source using openssl-0.9.7c source.  I can connect(I do get an SSL connection) and work from my
clientmachine using pgsql.</font><br /><br /><font face="sans-serif" size="2">Is there an issue with how I built the
serveror with openssl on RedHat 9 machines or the combination of SSL on the server and client I used?</font><br /><br
/><fontface="sans-serif" size="2">Tim</font> 

Re: Connnection to SSL enabled server

From
Andreas Pflug
Date:
timothy.r.morley@kc.frb.org wrote:

>
> I am running PostgreSQL 7.3.4 server with SSL enabled.  I have the 
> server configured to only accept SSL connections from various hosts. 
>  I am using pgadmin3-1.1 on RedHat 9 and I can connect to my SSL 
> enabled Pg server just fine.  The information pane in pgadmin3 tells 
> me I have an SSL connection to the server.  I can open up the graphic 
> query tool and type in my query.  As soon as I click the 'Execute 
> query' button pgadmin3 crashes.  When I run pgadmin3 using gdb I get 
> the following output from gdb after I click the 'Execute query' button:
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1094126896 (LWP 4597)]
> 0x400b603f in CRYPTO_lock () from /lib/libcrypto.so.4
>
> I'm using the RedHat 9 rpm from the pgadmin site and have even tried 
> using the nightly build from October 29, 2003 with the same result.  I 
> have another PostgreSQL 7.3.4 server that is not SSL enabled and I can 
> use pgadmin3 just fine with that configuration.
>
> I built the SSL enabled server from source using openssl-0.9.7c 
> source.  I can connect(I do get an SSL connection) and work from my 
> client machine using pgsql.
>
> Is there an issue with how I built the server or with openssl on 
> RedHat 9 machines or the combination of SSL on the server and client I 
> used?
>

Can you confirm that this crash happens only with ssl?
There might be a multithreading problem. While the pgAdmin3 main window 
uses the main thread, the query tool uses a dedicated  thread for query 
execution.
I'm using open-ssl 0.9.7b (SuSE 8.1), no problem with a "requires SSL" 
connection, I doubt it's a version problem. It might be necessary to 
play a little with libraries to get it multithread proof.

Regards,
Andreas




Re: Connnection to SSL enabled server

From
timothy.r.morley@kc.frb.org
Date:
<br /><font face="sans-serif" size="2">Here is what I've tried:</font><br /><br /><font face="sans-serif" size="2">1.
IfI connect to server1 that wasn't compiled with SSL I have no issues running queries.</font><br /><font
face="sans-serif"size="2">2. If I connect to server2 that WAS compiled with SSL and ssl = true is set in
postgresql.confpgadmin3 crashes when I try to execute a query.</font><br /><font face="sans-serif" size="2">3. If I
connectto server2 with ssl = false in postgresql.conf pgadmin3 has no problems running the queries.</font><br /><br
/><fontface="sans-serif" size="2">On my RedHat 9 box(client) I have openssl-0.9.7a-20.</font><br /><br /><font
face="sans-serif"size="2">Tim</font><br /><br /><br /><table width="100%"><tr valign="top"><td></td><td><font
face="sans-serif"size="1"><b>Andreas Pflug <pgadmin@pse-consulting.de></b></font><p><font face="sans-serif"
size="1">10/29/200310:52 AM</font><br /></td><td><font face="Arial" size="1">        </font><br /><font
face="sans-serif"size="1">        To:        timothy.r.morley@kc.frb.org</font><br /><font face="sans-serif" size="1"> 
     cc:        pgadmin-support@postgresql.org, Jean-Michel POURE <jm@poure.com></font><br /><font
face="sans-serif"size="1">        Subject:        Re: [pgadmin-support] Connnection to SSL enabled
server</font></td></tr></table><br/><br /><br /><font face="Courier New" size="2">Can you confirm that this crash
happensonly with ssl?<br /> There might be a multithreading problem. While the pgAdmin3 main window <br /> uses the
mainthread, the query tool uses a dedicated  thread for query <br /> execution.<br /> I'm using open-ssl 0.9.7b (SuSE
8.1),no problem with a "requires SSL" <br /> connection, I doubt it's a version problem. It might be necessary to <br
/>play a little with libraries to get it multithread proof.<br /><br /> Regards,<br /> Andreas<br /><br /><br
/></font><br/><br /> 

Re: Connnection to SSL enabled server

From
timothy.r.morley@kc.frb.org
Date:
<br /><font face="sans-serif" size="2">I just setup a Slackware 9.1 machine and tried pgadmin3-1.0.1 and the October 29
snapshotof pgadmin3 with a connection to my SSL enabled PostgreSQL server.  Everything worked perfectly.  The Slack 9.1
machinehas openssl-0.9.7b on it.  I have a coworker running Mandrake 9.1 which contains openssl-0.9.7a.  His pgadmin3
alsocrashes trying to run queries against our SSL enabled PostgreSQL server.  He installed the Mandrake rpms for
pgadmin3from the pgadmin.postgresql.org site.</font><br /><br /><font face="sans-serif" size="2">You were right about
needingto play with the libraries.  I'll see if I can get my RedHat 9 box up to openssl 0.9.7b.</font><br /><br /><font
face="sans-serif"size="2">Tim</font><br /><br /><br /><table width="100%"><tr valign="top"><td></td><td><font
face="sans-serif"size="1"><b>Andreas Pflug <pgadmin@pse-consulting.de></b></font><br /><font face="sans-serif"
size="1">Sentby: pgadmin-support-owner@postgresql.org</font><p><font face="sans-serif" size="1">10/29/2003 10:52
AM</font><br/></td><td><font face="Arial" size="1">        </font><br /><font face="sans-serif" size="1">        To:  
    timothy.r.morley@kc.frb.org</font><br /><font face="sans-serif" size="1">        cc:      
 pgadmin-support@postgresql.org,Jean-Michel POURE <jm@poure.com></font><br /><font face="sans-serif" size="1">   
   Subject:        Re: [pgadmin-support] Connnection to SSL enabled server</font></td></tr></table><br /><br /><br
/><fontface="Courier New" size="2">timothy.r.morley@kc.frb.org wrote:<br /><br /> Can you confirm that this crash
happensonly with ssl?<br /> There might be a multithreading problem. While the pgAdmin3 main window <br /> uses the
mainthread, the query tool uses a dedicated  thread for query <br /> execution.<br /> I'm using open-ssl 0.9.7b (SuSE
8.1),no problem with a "requires SSL" <br /> connection, I doubt it's a version problem. It might be necessary to <br
/>play a little with libraries to get it multithread proof.<br /><br /> Regards,<br /> Andreas<br /><br /><br /><br />
---------------------------(endof broadcast)---------------------------<br /> TIP 5: Have you checked our extensive
FAQ?<br/><br />               http://www.postgresql.org/docs/faqs/FAQ.html<br /></font><br /><br /> 

Re: Connnection to SSL enabled server

From
Andreas Pflug
Date:
timothy.r.morley@kc.frb.org wrote:

>
> I just setup a Slackware 9.1 machine and tried pgadmin3-1.0.1 and the 
> October 29 snapshot of pgadmin3 with a connection to my SSL enabled 
> PostgreSQL server.  Everything worked perfectly.  The Slack 9.1 
> machine has openssl-0.9.7b on it.  I have a coworker running Mandrake 
> 9.1 which contains openssl-0.9.7a.  His pgadmin3 also crashes trying 
> to run queries against our SSL enabled PostgreSQL server.  He 
> installed the Mandrake rpms for pgadmin3 from the 
> pgadmin.postgresql.org site.
>
> You were right about needing to play with the libraries.  I'll see if 
> I can get my RedHat 9 box up to openssl 0.9.7b.
>

Actually, I can't believe that only 0.9.7b will work, but not 0.9.7a or 
0.9.7c, so I'd be glad if you could confirm this.

When mentioning libraries, I was talking about compilation options for 
multithread support and possible linkage against mt enabled libraries. 
Possibly, there are platforms where things are not compiled/linked 
correctly, but nobody noticed because ssl connections are rarely used 
(at least  for admins contacting a local server)

Regards,
Andreas




Re: Connnection to SSL enabled server

From
timothy.r.morley@kc.frb.org
Date:
<br /><font face="sans-serif" size="2">I've done some more testing.  I installed pgadmin3-1.0.1 and
pgadmin3-1.1.0-cvs20031030on a Mandrake 9.2 box.  The Mandrake 9.2 box has all updates applied and is running
openssl-0.9.7b-4.1.92mdk. When I connect from this machine to my SSL enabled PostgreSQL machine pgadmin3 crashes(both
versions)when I try to execute a query.  I can use either version to connect to my nonSSL PostgreSQL server and I can
executea query.  So here is a summary of my current results.</font><br /><br /><font face="sans-serif" size="2">Server:
PostgreSQL7.3.4 compiled with option --with-openssl.  Openssl version 0.9.7c.</font><br /><font face="sans-serif"
size="2">1.RedHat9 client: Pgadmin3 crashes when executing a query while connected to the SSL enabled PostgreSQL
server. Pgadmin3 executes query against a nonSSL PostgreSQL server and against the SSL enabled server when ssl = false
isset in postgresql.conf. Client has openssl-0.9.7a installed.</font><br /><font face="sans-serif" size="2">2. Mandrake
9.2client: Same results as with RedHat9 client. Client has openssl-0.9.7b-4.1.92mdk installed.</font><br /><font
face="sans-serif"size="2">3. Slackware 9.1: All queries on all servers work. Client has openssl-0.9.7b
installed.</font><br/><br /><br /><font face="sans-serif" size="2">Tim</font><br /><br /><br /><table width="100%"><tr
valign="top"><td></td><td><fontface="sans-serif" size="1"><b>Andreas Pflug
<pgadmin@pse-consulting.de></b></font><p><fontface="sans-serif" size="1">10/30/2003 04:41 AM</font><br
/></td><td><fontface="Arial" size="1">        </font><br /><font face="sans-serif" size="1">        To:      
 timothy.r.morley@kc.frb.org</font><br/><font face="sans-serif" size="1">        cc:      
 pgadmin-support@postgresql.org</font><br/><font face="sans-serif" size="1">        Subject:        Re:
[pgadmin-support]Connnection to SSL enabled server</font></td></tr></table><br /><br /><br /><font face="Courier New"
size="2">timothy.r.morley@kc.frb.orgwrote:<br /><br /> ><br /> > I just setup a Slackware 9.1 machine and tried
pgadmin3-1.0.1and the <br /> > October 29 snapshot of pgadmin3 with a connection to my SSL enabled <br /> >
PostgreSQLserver.  Everything worked perfectly.  The Slack 9.1 <br /> > machine has openssl-0.9.7b on it.  I have a
coworkerrunning Mandrake <br /> > 9.1 which contains openssl-0.9.7a.  His pgadmin3 also crashes trying <br /> >
torun queries against our SSL enabled PostgreSQL server.  He <br /> > installed the Mandrake rpms for pgadmin3 from
the<br /> > pgadmin.postgresql.org site.<br /> ><br /> > You were right about needing to play with the
libraries. I'll see if <br /> > I can get my RedHat 9 box up to openssl 0.9.7b.<br /> ><br /><br /> Actually, I
can'tbelieve that only 0.9.7b will work, but not 0.9.7a or <br /> 0.9.7c, so I'd be glad if you could confirm this.<br
/><br/> When mentioning libraries, I was talking about compilation options for <br /> multithread support and possible
linkageagainst mt enabled libraries. <br /> Possibly, there are platforms where things are not compiled/linked <br />
correctly,but nobody noticed because ssl connections are rarely used <br /> (at least  for admins contacting a local
server)<br/><br /> Regards,<br /> Andreas<br /><br /><br /></font><br /><br /> 

Re: Connnection to SSL enabled server

From
Andreas Pflug
Date:
timothy.r.morley@kc.frb.org wrote:

>
> I've done some more testing.  I installed pgadmin3-1.0.1 and 
> pgadmin3-1.1.0-cvs20031030 on a Mandrake 9.2 box.  The Mandrake 9.2 
> box has all updates applied and is running openssl-0.9.7b-4.1.92mdk. 
>  When I connect from this machine to my SSL enabled PostgreSQL machine 
> pgadmin3 crashes(both versions) when I try to execute a query.  I can 
> use either version to connect to my nonSSL PostgreSQL server and I can 
> execute a query.  So here is a summary of my current results.
>
> Server: PostgreSQL 7.3.4 compiled with option --with-openssl.  Openssl 
> version 0.9.7c.
> 1. RedHat9 client: Pgadmin3 crashes when executing a query while 
> connected to the SSL enabled PostgreSQL server.  Pgadmin3 executes 
> query against a nonSSL PostgreSQL server and against the SSL enabled 
> server when ssl = false is set in postgresql.conf. Client has 
> openssl-0.9.7a installed.
> 2. Mandrake 9.2 client: Same results as with RedHat9 client. Client 
> has openssl-0.9.7b-4.1.92mdk installed.
> 3. Slackware 9.1: All queries on all servers work. Client has 
> openssl-0.9.7b installed.
>

So this seems to be not a ssl version problem, but something about the 
platforms. We can reduce you results to
- RedHat9 and Mandrake 9.2 won't work
- Slackware does.
Maybe we need special compiler/link flags for RH and Mandrake :-(

Did you try the binary versions too? Jean-Michel, what's happening on 
your machines when connecting with ssl=require?

Regards,
Andreas



Re: Connnection to SSL enabled server

From
Jean-Michel POURE
Date:
Le Jeudi 30 Octobre 2003 15:28, Andreas Pflug a écrit :
> Did you try the binary versions too? Jean-Michel, what's happening on
> your machines when connecting with ssl=require?

I will do some testing tonight. Cheers, Jean-Michel



Re: Query Tool (not Builder) and SSL

From
Andreas Pflug
Date:
Network Administrator wrote:

>
>Ok, that is problem my fault.  I'm using the slackware package Version 1.1.0
>Devel (Oct 29 2003).  On the original post the problem use the visual query
>builder (unless I missed the jist of that post) using ssl.  When I tested this,
>pgAdmin crashes for both ssl and non-ssl connections.  That is to say going to
>the query builder, and trying to add a table under the tools menu crashes as
>soon as you select a table and hit ok.
>  
>

Please do *not* mix up the Query Tool  and the Query Builder, which is 
known to crash on gtk (see BUGS.txt) and for this reason is deliberately 
left out of release versions.

Regards,
Andreas




Re: Connnection to SSL enabled server

From
Andreas Pflug
Date:
Network Administrator wrote:

>>>3. Slackware 9.1: All queries on all servers work. Client has 
>>>openssl-0.9.7b installed.
>>>      
>>>
>to through my $0.02 in.  Slackware does work with ssl=reguire but when I
>did try to use the visual query tool (not sure how to use it actually) the 10/29
>snapshot did crash.
>
This is confusing. So you say slackware crashes for you, while Timothy 
says it's working.
What's the difference?


To get this clear: which version exactly did you use? source or binary?

Regards,
Andreas



Re: Connnection to SSL enabled server

From
Network Administrator
Date:
Quoting Andreas Pflug <pgadmin@pse-consulting.de>:

> timothy.r.morley@kc.frb.org wrote:
> 
> >
> > I've done some more testing.  I installed pgadmin3-1.0.1 and 
> > pgadmin3-1.1.0-cvs20031030 on a Mandrake 9.2 box.  The Mandrake 9.2 
> > box has all updates applied and is running openssl-0.9.7b-4.1.92mdk. 
> >  When I connect from this machine to my SSL enabled PostgreSQL machine 
> > pgadmin3 crashes(both versions) when I try to execute a query.  I can 
> > use either version to connect to my nonSSL PostgreSQL server and I can 
> > execute a query.  So here is a summary of my current results.
> >
> > Server: PostgreSQL 7.3.4 compiled with option --with-openssl.  Openssl 
> > version 0.9.7c.
> > 1. RedHat9 client: Pgadmin3 crashes when executing a query while 
> > connected to the SSL enabled PostgreSQL server.  Pgadmin3 executes 
> > query against a nonSSL PostgreSQL server and against the SSL enabled 
> > server when ssl = false is set in postgresql.conf. Client has 
> > openssl-0.9.7a installed.
> > 2. Mandrake 9.2 client: Same results as with RedHat9 client. Client 
> > has openssl-0.9.7b-4.1.92mdk installed.
> > 3. Slackware 9.1: All queries on all servers work. Client has 
> > openssl-0.9.7b installed.
> >
> 
> So this seems to be not a ssl version problem, but something about the 
> platforms. We can reduce you results to
> - RedHat9 and Mandrake 9.2 won't work
> - Slackware does.
> Maybe we need special compiler/link flags for RH and Mandrake :-(
> 
> Did you try the binary versions too? Jean-Michel, what's happening on 
> your machines when connecting with ssl=require?
> 
> Regards,
> Andreas
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 7: don't forget to increase your free space map settings
> 

Just to through my $0.02 in.  Slackware does work with ssl=reguire but when I
did try to use the visual query tool (not sure how to use it actually) the 10/29
snapshot did crash.  I haven't retried it though since I wanted to hear some
other feedback.

Also, anything before OpenSSL 0.9.7c or 0.9.6k is not viable because of a recent
CERT.  Please see:

http://www.cert.org/advisories/CA-2003-26.html

-- 
Keith C. Perry
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com
____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com


Re: Connnection to SSL enabled server

From
timothy.r.morley@kc.frb.org
Date:
<br /><font face="sans-serif" size="2">Every version of pgadmin3 I have tried, whether production releases such as
1.0.0and 1.0.1 or nightly builds have been the rpms built for the appropriate platforms.  I used the the binary tgz for
Slackware.</font><br/><br /><font face="sans-serif" size="2">Tim</font><br /><br /><br /><table width="100%"><tr
valign="top"><td></td><td><fontface="sans-serif" size="1"><b>Andreas Pflug
<pgadmin@pse-consulting.de></b></font><p><fontface="sans-serif" size="1">10/30/2003 08:28 AM</font><br
/></td><td><fontface="Arial" size="1">        </font><br /><font face="sans-serif" size="1">        To:      
 timothy.r.morley@kc.frb.org</font><br/><font face="sans-serif" size="1">        cc:      
 pgadmin-support@postgresql.org,"Adam H. Pendleton" <fmonkey@fmonkey.net>, Jean-Michel POURE
<jm@poure.com></font><br/><font face="sans-serif" size="1">        Subject:        Re: [pgadmin-support]
Connnectionto SSL enabled server</font></td></tr></table><br /><br /><br /><font face="Courier New" size="2">So this
seemsto be not a ssl version problem, but something about the <br /> platforms. We can reduce you results to<br /> -
RedHat9and Mandrake 9.2 won't work<br /> - Slackware does.<br /> Maybe we need special compiler/link flags for RH and
Mandrake:-(<br /><br /> Did you try the binary versions too? Jean-Michel, what's happening on <br /> your machines when
connectingwith ssl=require?<br /><br /> Regards,<br /> Andreas<br /><br /></font><br /><br /> 

Re: Connnection to SSL enabled server

From
blacknoz@club-internet.fr
Date:

>Also, anything before OpenSSL 0.9.7c or 0.9.6k is not viable because of a recent
>CERT.  Please see:
>http://www.cert.org/advisories/CA-2003-26.html

Yes but generally, distros backport patches to older release so that they don't break the global way the soft run...
For RH, openssl-0.9.7a-20 is considered corrected although it is versioned 0.9.7a and not 0.9.7c
Please see
https://rhn.redhat.com/errata/RHSA-2003-292.html

Hope we won't have to publish our openssl packages for pgA3!

Regards,
Raphaël



Re: Connnection to SSL enabled server

From
timothy.r.morley@kc.frb.org
Date:
<br /><font face="sans-serif" size="2">Since my Mandrake 9.2 machine contained openssl-0.9.7b and pagdmin3 queries
didn'twork on it, I'm taking this to mean you are correct that this is not an openssl version issue. Therefore, I
didn'ttry to upgrade my RedHat 9 machine.</font><br /><br /><font face="sans-serif" size="2">Tim</font><br /><br /><br
/><tablewidth="100%"><tr valign="top"><td></td><td><font face="sans-serif" size="1"><b>Andreas Pflug
<pgadmin@pse-consulting.de></b></font><p><fontface="sans-serif" size="1">10/30/2003 04:41 AM</font><br
/></td><td><fontface="Arial" size="1">        </font><br /><font face="sans-serif" size="1">        To:      
 timothy.r.morley@kc.frb.org</font><br/><font face="sans-serif" size="1">        cc:      
 pgadmin-support@postgresql.org</font><br/><font face="sans-serif" size="1">        Subject:        Re:
[pgadmin-support]Connnection to SSL enabled server</font></td></tr></table><br /><br /><br /><font face="Courier New"
size="2">timothy.r.morley@kc.frb.orgwrote:<br /><br /> ><br /> > I just setup a Slackware 9.1 machine and tried
pgadmin3-1.0.1and the <br /> > October 29 snapshot of pgadmin3 with a connection to my SSL enabled <br /> >
PostgreSQLserver.  Everything worked perfectly.  The Slack 9.1 <br /> > machine has openssl-0.9.7b on it.  I have a
coworkerrunning Mandrake <br /> > 9.1 which contains openssl-0.9.7a.  His pgadmin3 also crashes trying <br /> >
torun queries against our SSL enabled PostgreSQL server.  He <br /> > installed the Mandrake rpms for pgadmin3 from
the<br /> > pgadmin.postgresql.org site.<br /> ><br /> > You were right about needing to play with the
libraries. I'll see if <br /> > I can get my RedHat 9 box up to openssl 0.9.7b.<br /> ><br /><br /> Actually, I
can'tbelieve that only 0.9.7b will work, but not 0.9.7a or <br /> 0.9.7c, so I'd be glad if you could confirm this.<br
/><br/> When mentioning libraries, I was talking about compilation options for <br /> multithread support and possible
linkageagainst mt enabled libraries. <br /> Possibly, there are platforms where things are not compiled/linked <br />
correctly,but nobody noticed because ssl connections are rarely used <br /> (at least  for admins contacting a local
server)<br/><br /> Regards,<br /> Andreas<br /><br /><br /></font><br /><br />