Hi Christoph,
----- Original Message -----
> From: "Christoph Berg" <cb@df7cb.de>
> To: "Chris Butler" <cbutler@zedcore.com>
>
> Googling for "digest too big for rsa key" seems to indicate that this
> problem occurs when you are using (client?) certificates with short
> RSA keys. 512 bits is most often cited in the problem reports,
> something like 768 is around the minimum size that works, and of
> course, anything smaller than 1024 or really 1536 (or 2048) bits is
> too small for today's crypto standards.
>
> So the question here is if this is also the problem you saw - are you
> using client or server certificates with short keys?
Yes, that would appear to be the case - the key we're using is only 512 bits. I'll make sure we replace the certificate
beforere-applying the update (which will probably be after the holidays now).
> What this explanation doesn't explain is why the problem occurs with
> 9.4's libpq5 while it works with 9.3's. The libssl version used for
> building these packages should really be the same, 9.3.5-2.pgdg70+1
> was built just two days ago as well.
For info, I can confirm that both libraries are loading the same libssl:
zedcore@web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd /usr/lib/x86_64-linux-gnu/libpq.so.5 | grep libssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f3e8d898000)
zedcore@web2:/tmp/usr/lib/x86_64-linux-gnu$ ldd ./libpq.so.5 | grep libssl
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f5d76176000)
I can see a few changes are listed in the 9.4 changelog relating to SSL, so my guess would be one of those changes has
alteredthe behaviour of libssl when presented with a small key.
--
Chris Butler
Zedcore Systems Ltd
Telephone: 0114 303 0666
Direct dial: 0114 303 0572