Обсуждение: ssl3 errors in replication.

Поиск
Список
Период
Сортировка

ssl3 errors in replication.

От
Mario Splivalo
Дата:
I have these errors in my log files, occurring very often:

2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL:  could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message

2012-02-02 01:05:58 CST [20507]: [301-1] user=,db= LOG:  invalid magic
number 0000 in log file 970, segment 37, offset 15728640
2012-02-02 01:05:58 CST [4104]: [1-1] user=,db= LOG:  streaming
replication successfully connected to primary
2012-02-02 01:14:28 CST [4104]: [2-1] user=,db= FATAL:  could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message

2012-02-02 01:14:33 CST [20507]: [302-1] user=,db= LOG:  unexpected
pageaddr 3C9/CBE6A000 in log file 970, segment 196, offset 15114240
2012-02-02 01:14:33 CST [4212]: [1-1] user=,db= LOG:  streaming
replication successfully connected to primary
2012-02-02 01:15:10 CST [4212]: [2-1] user=,db= FATAL:  could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message

2012-02-02 01:15:10 CST [20507]: [303-1] user=,db= LOG:  unexpected
pageaddr 3C9/B0F80000 in log file 970, segment 227, offset 16252928
2012-02-02 01:15:10 CST [4269]: [1-1] user=,db= LOG:  streaming
replication successfully connected to primary


These are happening every few minutes. This started happening when I
upgraded master and slave from 9.1.1 to 9.1.2 (upgrade was related to
often segfaulting of slave when additional load was put onto WALs - a
lot of DML on the master made slave segfault). Befure the upgrade I had
'sslv3 alert' issues maybe once every few days.

I've added another slave to the setup, and I have same issues there as
on the other slave - the difference is that the newly added slave has no
clients connected to it.

This is all set up on 64bit debian squeeze upgraded to latest packages,
where postgres 9.1.2 is installed from backports repositories:

postgres=# select version();
                                                version

-------------------------------------------------------------------------------------------------------
 PostgreSQL 9.1.2 on x86_64-unknown-linux-gnu, compiled by gcc-4.6.real
(Debian 4.6.2-9) 4.6.2, 64-bit
(1 row)

Re: ssl3 errors in replication.

От
Tom Lane
Дата:
Mario Splivalo <mario.splivalo@megafon.hr> writes:
> I have these errors in my log files, occurring very often:
> 2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL:  could not
> receive data from WAL stream: SSL error: sslv3 alert unexpected message

Google suggests that this might be caused by version or configuration
mismatches between openssl libraries on the master and slave machines.
One particular thing I'm wondering about is whether your openssl
libraries deal with the SSL renegotiation bug sanely (ie they've got
a fix for it that's less brain-dead than breaking the connection).

            regards, tom lane

Re: ssl3 errors in replication.

От
Mario Splivalo
Дата:
On 02/02/2012 05:16 PM, Tom Lane wrote:
> Mario Splivalo <mario.splivalo@megafon.hr> writes:
>> I have these errors in my log files, occurring very often:
>> 2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL:  could not
>> receive data from WAL stream: SSL error: sslv3 alert unexpected message
>
> Google suggests that this might be caused by version or configuration
> mismatches between openssl libraries on the master and slave machines.
> One particular thing I'm wondering about is whether your openssl
> libraries deal with the SSL renegotiation bug sanely (ie they've got
> a fix for it that's less brain-dead than breaking the connection).

Is there a way I can force replication over non-ssl channel? All those
boxes are in my private network and ssl is a bit overhead there anyhow.

    Mario

Re: ssl3 errors in replication.

От
Mario Splivalo
Дата:
On 02/02/2012 05:15 PM, Mario Splivalo wrote:
> On 02/02/2012 05:16 PM, Tom Lane wrote:
>> Mario Splivalo <mario.splivalo@megafon.hr> writes:
>>> I have these errors in my log files, occurring very often:
>>> 2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL:  could not
>>> receive data from WAL stream: SSL error: sslv3 alert unexpected message
>>
>> Google suggests that this might be caused by version or configuration
>> mismatches between openssl libraries on the master and slave machines.
>> One particular thing I'm wondering about is whether your openssl
>> libraries deal with the SSL renegotiation bug sanely (ie they've got
>> a fix for it that's less brain-dead than breaking the connection).
>
> Is there a way I can force replication over non-ssl channel? All those
> boxes are in my private network and ssl is a bit overhead there anyhow.

Reading the docs, it shouldn't use SSL when connecting.

Here is my recovery.conf on the slave:

standby_mode          = 'on'
primary_conninfo      = 'host=10.21.32.22 port=5432 user=replication
password=ueberseecret'      # ded803
trigger_file          = '/var/run/pg-trigger'

And here is excerpt from pg_hba.conf on master:

root@ded803:~# grep repl /etc/postgresql/9.1/main/pg_hba.conf | grep -v ^#
host    replication    replication    10.21.32.82/32        md5
host    postgres    replication     10.21.32.82/32        md5

(The second entry is for munin plugin on slave used to trend the slave lag.)

    Mario

Re: ssl3 errors in replication.

От
Tom Lane
Дата:
Mario Splivalo <mario.splivalo@megafon.hr> writes:
> Reading the docs, it shouldn't use SSL when connecting.

I think you're misreading the docs.  There's nothing in your
configuration that *forbids* an SSL connection, and libpq will try SSL
first unless configured otherwise.  Try adding sslmode=disable.

            regards, tom lane