Thread: More SSL patches
I was playing around with 7.3.1 and found some more SSL problems. The first,
that I missed when checking over 7.3.1, was that the client method was switched
to SSLv23 along with the server. The SSLv23 client method does SSLv2 by
default, but can also understand SSLv3. In our situation the SSLv2 backwords
compatibility is really only needed on the server. This is the first patch.
The second was that renegotiation was just plain broken. I can't believe I
didn't notice this before -- once 64k was sent to/from the server the client
would crash. Basicly, in 7.3 the server SSL code set the initial state to
"about to renegotiate" without actually starting the renegotiation. In
addition, the server and client didn't properly handle the
SSL_ERROR_WANT_(READ|WRITE) error. This is fixed in the second patch.
The last thing is that I found a way for the server to understand SSLv2 HELLO
messages (sent by pre-7.3 clients) but then get them to talk SSLv3. This is the
last one.
Hopefully this is the end of the SSL fixes. I've ran some pretty heavy stress
tests against a patched installation and I haven't noticed any problems yet.
Then again, I didn't notice the renegotiation problems until yesterday...
--Nate
Attachment
Has anyone looked at these yet?
--Nate
My fault. I am running behind because of some IPv6 patch work, and the holidays. I will look at them tomorrow. --------------------------------------------------------------------------- Nathan Mueller wrote: > Has anyone looked at these yet? > > --Nate > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Just put in the queue. --------------------------------------------------------------------------- Nathan Mueller wrote: > Has anyone looked at these yet? > > --Nate > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Your patch has been added to the PostgreSQL unapplied patches list at:
http://momjian.postgresql.org/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Nathan Mueller wrote:
> I was playing around with 7.3.1 and found some more SSL problems. The first,
> that I missed when checking over 7.3.1, was that the client method was switched
> to SSLv23 along with the server. The SSLv23 client method does SSLv2 by
> default, but can also understand SSLv3. In our situation the SSLv2 backwords
> compatibility is really only needed on the server. This is the first patch.
>
> The second was that renegotiation was just plain broken. I can't believe I
> didn't notice this before -- once 64k was sent to/from the server the client
> would crash. Basicly, in 7.3 the server SSL code set the initial state to
> "about to renegotiate" without actually starting the renegotiation. In
> addition, the server and client didn't properly handle the
> SSL_ERROR_WANT_(READ|WRITE) error. This is fixed in the second patch.
>
> The last thing is that I found a way for the server to understand SSLv2 HELLO
> messages (sent by pre-7.3 clients) but then get them to talk SSLv3. This is the
> last one.
>
> Hopefully this is the end of the SSL fixes. I've ran some pretty heavy stress
> tests against a patched installation and I haven't noticed any problems yet.
> Then again, I didn't notice the renegotiation problems until yesterday...
>
> --Nate
>
[ Attachment, skipping... ]
[ Attachment, skipping... ]
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Patch applied to HEAD and 7.3.2. Thanks for the fixes, Nathan. --------------------------------------------------------------------------- Nathan Mueller wrote: > I was playing around with 7.3.1 and found some more SSL problems. The first, > that I missed when checking over 7.3.1, was that the client method was switched > to SSLv23 along with the server. The SSLv23 client method does SSLv2 by > default, but can also understand SSLv3. In our situation the SSLv2 backwords > compatibility is really only needed on the server. This is the first patch. > > The second was that renegotiation was just plain broken. I can't believe I > didn't notice this before -- once 64k was sent to/from the server the client > would crash. Basicly, in 7.3 the server SSL code set the initial state to > "about to renegotiate" without actually starting the renegotiation. In > addition, the server and client didn't properly handle the > SSL_ERROR_WANT_(READ|WRITE) error. This is fixed in the second patch. > > The last thing is that I found a way for the server to understand SSLv2 HELLO > messages (sent by pre-7.3 clients) but then get them to talk SSLv3. This is the > last one. > > Hopefully this is the end of the SSL fixes. I've ran some pretty heavy stress > tests against a patched installation and I haven't noticed any problems yet. > Then again, I didn't notice the renegotiation problems until yesterday... > > --Nate > [ Attachment, skipping... ] [ Attachment, skipping... ] [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073