Обсуждение: SSL problem in pgAdmin3 1.8.0 beta 5
Hi.<br /><br />I'm using pgAdmin3 1.8.0 beta 5, with winXp sp2.<br /><br />When trying to stablish a ssl connection, theappication crash with this error:<br /><br />OpenSSL: Fatal<br /><br />OPENSSL_Uplink(00FD010,05): no OPENSSL_Applink.<br /><br />PgAdmin 1.6.3 connects just fine whit the same set of certificates.<br /><br />Thanks,<br /><br/>Alejandro<br /><br />
Alejandro Gasca wrote: > Hi. > > I'm using pgAdmin3 1.8.0 beta 5, with winXp sp2. > > When trying to stablish a ssl connection, the appication crash with this > error: > > OpenSSL: Fatal > > OPENSSL_Uplink(00FD010,05): no OPENSSL_Applink. > It works fine for me (using the released version of beta 5 on XP Pro SP2, with 8.2.2 running with a certificate generated per the PostgreSQL docs). That error looks a little odd though - can you send the pgAdmin logfile please? Can anyone else reproduce this? Regards, Dave.
2007/9/26, Dave Page <dpage@postgresql.org>:
starting with a new log file, and just open an closing pgAdmin the log says (i put logging to "debug"): Alejandro Gasca wrote:
> Hi.
>
> I'm using pgAdmin3 1.8.0 beta 5, with winXp sp2.
>
> When trying to stablish a ssl connection, the appication crash with this
> error:
>
> OpenSSL: Fatal
>
> OPENSSL_Uplink(00FD010,05): no OPENSSL_Applink.
>
It works fine for me (using the released version of beta 5 on XP Pro
SP2, with 8.2.2 running with a certificate generated per the PostgreSQL
docs). That error looks a little odd though - can you send the pgAdmin
logfile please?
Can anyone else reproduce this?
Regards, Dave.
2007-09-26 04:34:56 INFO : ##############################################################
2007-09-26 04:34:56 INFO : # pgAdmin III Version 1.8.0 Beta 5 Startup
2007-09-26 04:34:56 INFO : ##############################################################
2007-09-26 04:34:56 INFO : Compiled with dynamically linked SSL support
2007-09-26 04:34:56 INFO : Running a RELEASE build.
2007-09-26 04:34:56 INFO : i18n path : C:\Archivos de programa\pgAdmin III\1.8/i18n
2007-09-26 04:34:56 INFO : UI path : C:\Archivos de programa\pgAdmin III\1.8/../ui
2007-09-26 04:34:56 INFO : Doc path : C:\Archivos de programa\pgAdmin III\1.8/docs
2007-09-26 04:34:56 INFO : Branding path: C:\Archivos de programa\pgAdmin III\1.8/../../branding
2007-09-26 04:34:56 INFO : PG pg_dump : C:\Archivos de programa\pgAdmin III\1.8\pg_dump.exe
2007-09-26 04:34:56 INFO : PG pg_dumpall : C:\Archivos de programa\pgAdmin III\1.8\pg_dumpall.exe
2007-09-26 04:34:56 INFO : PG pg_restore : C:\Archivos de programa\pgAdmin III\1.8\pg_restore.exe
2007-09-26 04:34:56 INFO : EDB pg_dump :
2007-09-26 04:34:56 INFO : EDB pg_dumpall:
2007-09-26 04:34:56 INFO : EDB pg_restore:
2007-09-26 04:34:56 INFO : Using embedded XRC data.
2007-09-26 04:34:56 INFO : PG Help : http://www.postgresql.org/docs/current/static/
2007-09-26 04:34:56 INFO : EDB Help : http://www.enterprisedb.com/documentation/8.2/
2007-09-26 04:34:56 INFO : Slony Help : http://www.slony.info/documentation/
2007-09-26 04:34:58 INFO : Using fontmetrics 6/13, 8 Point
2007-09-26 04:34:58 INFO : Native Description '0;-11;0;0;0;400;0;0;0;0;0;0;0;0;MS Shell Dlg 2'
2007-09-26 04:34:58 INFO : Draw size of 'M': w=8, h=13, descent 2, external lead 0.
2007-09-26 04:34:58 INFO : Draw size of 'g': w=6, h=13, descent 2, external lead 0.
2007-09-26 04:34:58 INFO : Draw size of 'Mg': w=14, h=13, descent 2, external lead 0.
2007-09-26 04:34:59 INFO : Reloading servers...
2007-09-26 04:34:59 INFO : Displaying properties for Servers Servers
2007-09-26 04:34:59 STATUS : Retrieving Servers details...
2007-09-26 04:34:59 STATUS : Retrieving Servers details... ( 0.00 secs)
2007-09-26 04:35:02 INFO : Displaying properties for Server 10.19.73.1:50001
2007-09-26 04:35:02 STATUS : Retrieving Server details...
2007-09-26 04:35:02 STATUS : Retrieving Server details... ( 0.02 secs)
2007-09-26 04:35:02 INFO : Attempting to create a connection object...
2007-09-26 04:35:02 INFO : Using password file C:\Documents and Settings\x\Datos de programa\postgresql\pgpass.conf
2007-09-26 04:35:02 STATUS : Connecting to database...
2007-09-26 04:35:02 INFO : Server name: 10.11.12.13 (resolved to: 10.11.12.13)
2007-09-26 04:35:02 INFO : Opening connection with connection string: host=' 10.11.12.13' hostaddr=10.11.12.13 dbname='db' user='xxxxx' port=yyyyy sslmode=require
And the postgres log drop this line:
2007-09-26 04:29:01 CDT LOG: could not accept SSL connection: Connection reset by peer
The server version: "PostgreSQL 8.2.4 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)"
The keys was generated with the openssl scripts.
note.
1. If i put incorrect certificates in %appdata%\postgres pgAdmin says: "Error connecting to the server: SSL error: certificate verify failed", as expected.
2. using the "out of the box" dummy certs of postgres (i think from postgresql-common) works fine. but the problem is with real certs.
Alejandro
Alejandro Gasca wrote: > note. > 1. If i put incorrect certificates in %appdata%\postgres pgAdmin says: > "Error connecting to the server: SSL error: certificate verify failed", > as expected. > 2. using the "out of the box" dummy certs of postgres (i think from > postgresql-common) works fine. but the problem is with real certs. Does it work if you connect using psql? Regards, Dave
2007/9/26, Dave Page <dpage@postgresql.org>:
sorry, i don't have postgres installed in the xp machine...
but i do a pg_dumpall from %programfiles%\pgAdmin III\1.8, and the same error rise:
OPENSSL_Uplink(00914010,05): no OPENSSL_Applink
Alejandro.
Alejandro Gasca wrote:
> note.
> 1. If i put incorrect certificates in %appdata%\postgres pgAdmin says:
> "Error connecting to the server: SSL error: certificate verify failed",
> as expected.
> 2. using the "out of the box" dummy certs of postgres (i think from
> postgresql-common) works fine. but the problem is with real certs.
Does it work if you connect using psql?
Regards, Dave
sorry, i don't have postgres installed in the xp machine...
but i do a pg_dumpall from %programfiles%\pgAdmin III\1.8, and the same error rise:
OPENSSL_Uplink(00914010,05): no OPENSSL_Applink
Alejandro.
---------- Forwarded message ----------
From: Alejandro Gasca <galejadror@gmail.com>
Date: 26-sep-2007 5:21
Subject: Re: [pgadmin-support] SSL problem in pgAdmin3 1.8.0 beta 5
To: Dave Page <dpage@postgresql.org>
2007/9/26, Alejandro Gasca < galejadror@gmail.com>:
Well, i download the postgresql-8.2.4-1-binaries-no-installer.zip.2007/9/26, Dave Page <dpage@postgresql.org>:Alejandro Gasca wrote:
> note.
> 1. If i put incorrect certificates in %appdata%\postgres pgAdmin says:
> "Error connecting to the server: SSL error: certificate verify failed",
> as expected.
> 2. using the "out of the box" dummy certs of postgres (i think from
> postgresql-common) works fine. but the problem is with real certs.
Does it work if you connect using psql?
Regards, Dave
sorry, i don't have postgres installed in the xp machine...
but i do a pg_dumpall from %programfiles%\pgAdmin III\1.8, and the same error rise:
OPENSSL_Uplink(00914010,05): no OPENSSL_Applink
Alejandro.
the psql packed there connects without problem.
A.
[CCing Magnus as this could be a problem - pgAdmin 1.8 fails to connect to an SSL server with a 'real' certificate] Alejandro Gasca wrote: > Well, i download the postgresql-8.2.4-1-binaries-no-installer.zip. > the psql packed there connects without problem. Well the main difference between those builds is that pgAdmin 1.8 uses a version of libpq.dll compiled with MSVC++ rather than mingw, and ships with OpenSSL 0.9.8.5 instead of 0.9.8.1 - which is a touch worrying. I don't have access to any 'real' certificates - do you trust me enough to let me test with a copy of yours on the assurance that I'll destroy all copies when I'm done? If so, my GPG keys is at http://www.pgadmin.org/pgp/davepage.pgp. I completely understand if you're not happy to do that. Regards, Dave
Dave Page wrote: > [CCing Magnus as this could be a problem - pgAdmin 1.8 fails to connect > to an SSL server with a 'real' certificate] > > Alejandro Gasca wrote: >> Well, i download the postgresql-8.2.4-1-binaries-no-installer.zip. >> the psql packed there connects without problem. > > Well the main difference between those builds is that pgAdmin 1.8 uses a > version of libpq.dll compiled with MSVC++ rather than mingw, and ships > with OpenSSL 0.9.8.5 instead of 0.9.8.1 - which is a touch worrying. OK, on further research it sounds like this might be problem: http://www.openssl.org/support/faq.html#PROG2 To recap, the error reported was: OPENSSL_Uplink(00914010,05): no OPENSSL_Applink. The patch below adds the applink code to libpq. Alejandro; may I send you an updated libpq.dll to test? Magnus; assuming this works, we should add it to the server as well I guess - src/backend/libpq/be-secure.c seem reasonable? Regards, Dave Index: fe-secure.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.94 diff -u -r1.94 fe-secure.c --- fe-secure.c 16 Feb 2007 17:07:00 -0000 1.94 +++ fe-secure.c 26 Sep 2007 15:36:45 -0000 @@ -153,8 +153,17 @@static bool pq_initssllib = true; static SSL_CTX *SSL_context = NULL; + +/* Include the OpenSSL AppLink code on Windows to ensure the */ +/* runtime libraries work in a compatible way */ +#ifdef WIN32 +#include "openssl/applink.c" +#endif +#endif /* ------------------------------------------------------------ *//* Procedures common to all secure sessions *//* ------------------------------------------------------------ */
On Wed, Sep 26, 2007 at 04:40:53PM +0100, Dave Page wrote: > Dave Page wrote: > > [CCing Magnus as this could be a problem - pgAdmin 1.8 fails to connect > > to an SSL server with a 'real' certificate] > > > > Alejandro Gasca wrote: > >> Well, i download the postgresql-8.2.4-1-binaries-no-installer.zip. > >> the psql packed there connects without problem. > > > > Well the main difference between those builds is that pgAdmin 1.8 uses a > > version of libpq.dll compiled with MSVC++ rather than mingw, and ships > > with OpenSSL 0.9.8.5 instead of 0.9.8.1 - which is a touch worrying. > > OK, on further research it sounds like this might be problem: > > http://www.openssl.org/support/faq.html#PROG2 > > To recap, the error reported was: > > OPENSSL_Uplink(00914010,05): no OPENSSL_Applink. > > The patch below adds the applink code to libpq. Alejandro; may I send > you an updated libpq.dll to test? > > Magnus; assuming this works, we should add it to the server as well I > guess - src/backend/libpq/be-secure.c seem reasonable? Yes. But we probably need an openssl version check as well, no? Won't it break on older openssl libs otherwise? //Magnus
Magnus Hagander wrote: > Yes. But we probably need an openssl version check as well, no? Won't it > break on older openssl libs otherwise? Yeah, we should require 0.9.8 or above. I had a quick look for a suitable macro in ssl.h earlier but didn't find anything. If the fix works, I'll look again. /D
2007/9/26, Dave Page <dpage@postgresql.org>:
Yes, of course
Dave Page wrote:
> [CCing Magnus as this could be a problem - pgAdmin 1.8 fails to connect
> to an SSL server with a 'real' certificate]
>
> Alejandro Gasca wrote:
>> Well, i download the postgresql-8.2.4-1-binaries-no-installer.zip.
>> the psql packed there connects without problem.
>
> Well the main difference between those builds is that pgAdmin 1.8 uses a
> version of libpq.dll compiled with MSVC++ rather than mingw, and ships
> with OpenSSL 0.9.8.5 instead of 0.9.8.1 - which is a touch worrying.
OK, on further research it sounds like this might be problem:
http://www.openssl.org/support/faq.html#PROG2
To recap, the error reported was:
OPENSSL_Uplink(00914010,05): no OPENSSL_Applink.
The patch below adds the applink code to libpq. Alejandro; may I send
you an updated libpq.dll to test?
Yes, of course
Alejandro Gasca wrote: > No. same problem.. > I unzip the libpq.dll (8.3.0.7268) and replace the other. > > OpenSSL: FATAL. > OPENSSL_Uplink(00DF4010,05): no OPENSSL_Applink. Hmm, OK on further investigation it looks like the applink code must be in the exe, not the dll. This is *really* annoying because it means that anyone writing a libpq based application now also needs the OpenSSL headers of the exact version used in libpq :-(. For me thats not an issue of course, but I doubt many others build Postgres and their app themselves. Anyway, I've committed a fix for pgAdmin which seems to work using the certificates you sent me. I'll send you a .exe to test if you like? One other annoying side effect is that a debug build of pgAdmin *must* now use a debug build of libpq, otherwise it'll outright crash when connecting to an SSL server with a client certificate :-( Regards Dave
2007/9/28, Dave Page <dpage@postgresql.org>:
of course
Alejandro Gasca wrote:
> No. same problem..
> I unzip the libpq.dll (8.3.0.7268) and replace the other.
>
> OpenSSL: FATAL.
> OPENSSL_Uplink(00DF4010,05): no OPENSSL_Applink.
Hmm, OK on further investigation it looks like the applink code must be
in the exe, not the dll. This is *really* annoying because it means that
anyone writing a libpq based application now also needs the OpenSSL
headers of the exact version used in libpq :-(. For me thats not an
issue of course, but I doubt many others build Postgres and their app
themselves.
Anyway, I've committed a fix for pgAdmin which seems to work using the
certificates you sent me. I'll send you a .exe to test if you like?
of course
One other annoying side effect is that a debug build of pgAdmin *must*
now use a debug build of libpq, otherwise it'll outright crash when
connecting to an SSL server with a client certificate :-(
Regards Dave
Alejandro.