Search Postgresql Archives

Re: Minimal streaming replication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/26/2012 05:18 AM, Stuart Bishop wrote:
On Tue, Jun 26, 2012 at 6:47 AM, Steve Crawford
<scrawford@xxxxxxxxxxxxxxxxxxxx>  wrote:

...
I'm seeing troubling messages in the log. While running pgbench I
see the following types of messages on the master every minute or few:
2012-06-25 11:36:26 PDT FATAL:  could not send data to WAL stream: SSL
error: sslv3 alert unexpected message
2012-06-25 11:36:26 PDT LOG:  invalid magic number 0000 in log file 457,
segment 173, offset 15851520
...
2012-06-25 11:36:41 PDT LOG:  streaming replication successfully connected
to primary
...

Any advice on what this is telling me? I'm not keen on words like "FATAL" in
my logs.
I saw this with Ubuntu 12.04 and PostgreSQL 9.1.4, replicating to an
identical machine. Google suggested it was caused by different
versions of libssl, but I don't think that is the case here unless one
of the packages got statically linked with an old libssl. I haven't
had time to investigate so I've disabled SSL for now, even though
replication appears to work apart from the disconnections.

I don't think different SSL versions is the issue as both machines are identical hardware and were built within minutes of each other from the same install source, updates have been applied simultaneously and the current package lists pulled from the machines is identical.

I did some research and testing and suspect the issue is related to the SSL renegotiation security vulnerability.

The ssl_renegotiation_limit defaults to 512MB which goes by pretty quickly when running pgbench. I set it to "0" (off) and the errors stopped.

There is a note in the documentation: "SSL libraries from before November 2009 are insecure when using SSL renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix for this vulnerability, some vendors shipped SSL libraries incapable of doing renegotiation. If any such libraries are in use on the client or server, SSL renegotiation should be disabled."

It would appear that the defaults set by the Ubuntu PostgreSQL packagers are in conflict with the decisions of the Ubuntu SSL packagers.

Cheers,
Steve


--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux