Greetings, hackers!

The flurry of patches that vendors have recently been making to OpenSSL to address the potential man-in-the-middle attack during SSL renegotiation have disabled SSL renegotiation altogether in the OpenSSL libraries. Applications that make use of SSL renegotiation, such as PostgreSQL, start failing.

I’ve noticed such failures on Mac OS X 10.6.2 after installing Security Update 2010-001 (which is when Apple distributed their OpenSSL patch):

CVE-ID: CVE-2009-3555

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL

Description: A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available at A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure.
After installing Security Update 2010-001, any libpq connection to the server that exchanges more than 512MB of data (the RENEGOTIATION_LIMIT defined in src/backend/libpq/be-secure.c) will trigger an SSL renegotiation, which fails, which disconnects the client. I observed the problem on both PostgreSQL 8.1.19 and PostgreSQL 8.4.2 (those are the only versions I have in production).

I have been working around the problem by disabling SSL renegotiation entirely in my PostgreSQL servers, commenting out lines 316-339 in src/backend/libpq/be-secure.c.

There have been reports of such SSL-related breakage on other platforms, too:

Thanks! Happy hacking!

- Chris

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 42 | next ›
Discussion Overview
grouppgsql-hackers @
postedFeb 3, '10 at 11:25a
activeFeb 25, '10 at 3:10p



site design / logo © 2022 Grokbase