Re: Chris Butler 2014-12-19 <1155204201.65430.1418975376728.JavaMail.zimbra@zedcore.com>
> One of our servers is currently running on postgres 9.2 using the 9.2.9-1.pgdg70+1 packages from pgdg.
>
> After an apt update this morning which brought in the libpq5 package version 9.4.0-1.pgdg70+1, connections to the
databasestarted failing with SSL errors logged on the server:
>
> [unknown] [unknown] LOG: could not accept SSL connection: digest too big for rsa key
>
> Rolling back the server and client to libpq5 version 9.3.5-2.pgdg70+1 fixed it.
>
> This is running on an otherwise up-to-date Debian Wheezy. The SSL certificate is locally issued using an internal CA
whichhas been added to the local trust store. SSL-related config options are left set to the defaults.
Hi Chris,
thanks for the report.
Googling for "digest too big for rsa key" seems to indicate that this
problem occurs when you are using (client?) certificates with short
RSA keys. 512 bits is most often cited in the problem reports,
something like 768 is around the minimum size that works, and of
course, anything smaller than 1024 or really 1536 (or 2048) bits is
too small for today's crypto standards.
So the question here is if this is also the problem you saw - are you
using client or server certificates with short keys?
What this explanation doesn't explain is why the problem occurs with
9.4's libpq5 while it works with 9.3's. The libssl version used for
building these packages should really be the same, 9.3.5-2.pgdg70+1
was built just two days ago as well.
I'm CCing -hackers, maybe someone there has an idea.
Christoph
--
cb@df7cb.de | http://www.df7cb.de/