On 06/26/2012 05:18 AM, Stuart Bishop wrote:
> On Tue, Jun 26, 2012 at 6:47 AM, Steve Crawford
> <scrawford@pinpointresearch.com> wrote:
>
> ...
> I'm seeing troubling messages in the log. While running pgbench I
> see the following types of messages on the master every minute or few:
>> 2012-06-25 11:36:26 PDT FATAL: could not send data to WAL stream: SSL
>> error: sslv3 alert unexpected message
>> 2012-06-25 11:36:26 PDT LOG: invalid magic number 0000 in log file 457,
>> segment 173, offset 15851520
>> ...
>> 2012-06-25 11:36:41 PDT LOG: streaming replication successfully connected
>> to primary
>> ...
>>
>> Any advice on what this is telling me? I'm not keen on words like "FATAL" in
>> my logs.
> I saw this with Ubuntu 12.04 and PostgreSQL 9.1.4, replicating to an
> identical machine. Google suggested it was caused by different
> versions of libssl, but I don't think that is the case here unless one
> of the packages got statically linked with an old libssl. I haven't
> had time to investigate so I've disabled SSL for now, even though
> replication appears to work apart from the disconnections.
>
I don't think different SSL versions is the issue as both machines are
identical hardware and were built within minutes of each other from the
same install source, updates have been applied simultaneously and the
current package lists pulled from the machines is identical.
I did some research and testing and suspect the issue is related to the
SSL renegotiation security vulnerability.
The ssl_renegotiation_limit defaults to 512MB which goes by pretty
quickly when running pgbench. I set it to "0" (off) and the errors stopped.
There is a note in the documentation: "SSL libraries from before
November 2009 are insecure when using SSL renegotiation, due to a
vulnerability in the SSL protocol. As a stop-gap fix for this
vulnerability, some vendors shipped SSL libraries incapable of doing
renegotiation. If any such libraries are in use on the client or server,
SSL renegotiation should be disabled."
It would appear that the defaults set by the Ubuntu PostgreSQL packagers
are in conflict with the decisions of the Ubuntu SSL packagers.
Cheers,
Steve