Обсуждение: ssl3 errors in replication.
I have these errors in my log files, occurring very often: 2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not receive data from WAL stream: SSL error: sslv3 alert unexpected message 2012-02-02 01:05:58 CST [20507]: [301-1] user=,db= LOG: invalid magic number 0000 in log file 970, segment 37, offset 15728640 2012-02-02 01:05:58 CST [4104]: [1-1] user=,db= LOG: streaming replication successfully connected to primary 2012-02-02 01:14:28 CST [4104]: [2-1] user=,db= FATAL: could not receive data from WAL stream: SSL error: sslv3 alert unexpected message 2012-02-02 01:14:33 CST [20507]: [302-1] user=,db= LOG: unexpected pageaddr 3C9/CBE6A000 in log file 970, segment 196, offset 15114240 2012-02-02 01:14:33 CST [4212]: [1-1] user=,db= LOG: streaming replication successfully connected to primary 2012-02-02 01:15:10 CST [4212]: [2-1] user=,db= FATAL: could not receive data from WAL stream: SSL error: sslv3 alert unexpected message 2012-02-02 01:15:10 CST [20507]: [303-1] user=,db= LOG: unexpected pageaddr 3C9/B0F80000 in log file 970, segment 227, offset 16252928 2012-02-02 01:15:10 CST [4269]: [1-1] user=,db= LOG: streaming replication successfully connected to primary These are happening every few minutes. This started happening when I upgraded master and slave from 9.1.1 to 9.1.2 (upgrade was related to often segfaulting of slave when additional load was put onto WALs - a lot of DML on the master made slave segfault). Befure the upgrade I had 'sslv3 alert' issues maybe once every few days. I've added another slave to the setup, and I have same issues there as on the other slave - the difference is that the newly added slave has no clients connected to it. This is all set up on 64bit debian squeeze upgraded to latest packages, where postgres 9.1.2 is installed from backports repositories: postgres=# select version(); version ------------------------------------------------------------------------------------------------------- PostgreSQL 9.1.2 on x86_64-unknown-linux-gnu, compiled by gcc-4.6.real (Debian 4.6.2-9) 4.6.2, 64-bit (1 row)
Mario Splivalo <mario.splivalo@megafon.hr> writes: > I have these errors in my log files, occurring very often: > 2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not > receive data from WAL stream: SSL error: sslv3 alert unexpected message Google suggests that this might be caused by version or configuration mismatches between openssl libraries on the master and slave machines. One particular thing I'm wondering about is whether your openssl libraries deal with the SSL renegotiation bug sanely (ie they've got a fix for it that's less brain-dead than breaking the connection). regards, tom lane
On 02/02/2012 05:16 PM, Tom Lane wrote: > Mario Splivalo <mario.splivalo@megafon.hr> writes: >> I have these errors in my log files, occurring very often: >> 2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not >> receive data from WAL stream: SSL error: sslv3 alert unexpected message > > Google suggests that this might be caused by version or configuration > mismatches between openssl libraries on the master and slave machines. > One particular thing I'm wondering about is whether your openssl > libraries deal with the SSL renegotiation bug sanely (ie they've got > a fix for it that's less brain-dead than breaking the connection). Is there a way I can force replication over non-ssl channel? All those boxes are in my private network and ssl is a bit overhead there anyhow. Mario
On 02/02/2012 05:15 PM, Mario Splivalo wrote: > On 02/02/2012 05:16 PM, Tom Lane wrote: >> Mario Splivalo <mario.splivalo@megafon.hr> writes: >>> I have these errors in my log files, occurring very often: >>> 2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not >>> receive data from WAL stream: SSL error: sslv3 alert unexpected message >> >> Google suggests that this might be caused by version or configuration >> mismatches between openssl libraries on the master and slave machines. >> One particular thing I'm wondering about is whether your openssl >> libraries deal with the SSL renegotiation bug sanely (ie they've got >> a fix for it that's less brain-dead than breaking the connection). > > Is there a way I can force replication over non-ssl channel? All those > boxes are in my private network and ssl is a bit overhead there anyhow. Reading the docs, it shouldn't use SSL when connecting. Here is my recovery.conf on the slave: standby_mode = 'on' primary_conninfo = 'host=10.21.32.22 port=5432 user=replication password=ueberseecret' # ded803 trigger_file = '/var/run/pg-trigger' And here is excerpt from pg_hba.conf on master: root@ded803:~# grep repl /etc/postgresql/9.1/main/pg_hba.conf | grep -v ^# host replication replication 10.21.32.82/32 md5 host postgres replication 10.21.32.82/32 md5 (The second entry is for munin plugin on slave used to trend the slave lag.) Mario
Mario Splivalo <mario.splivalo@megafon.hr> writes: > Reading the docs, it shouldn't use SSL when connecting. I think you're misreading the docs. There's nothing in your configuration that *forbids* an SSL connection, and libpq will try SSL first unless configured otherwise. Try adding sslmode=disable. regards, tom lane