Обсуждение: [BUGS] BUG #14893: libpq SSL ClientHello too long,no option to set ciphers or affect cipher list length

The following bug has been logged on the website:

Bug reference:      14893
Logged by:          Graham Leggett
Email address:      minfrin@sharp.fm
PostgreSQL version: 9.5.9
Operating system:   Ubuntu Xenial
Description:

Hi all,

I am having trouble on an Ubuntu Xenial machine where the out-the-box psql
refuses to connect to the out-the-box postgresql over SSL. The same setup
worked on Ubuntu Trusty.

Debugging reveals that the cipher list sent by the libpg client is too long
(greater than 255 bytes), and this causes the postgresql server to slam down
the phone, or it derails the client side enough that a bogus message "tlsv1
alert unknown ca" is returned by the client.

We need a way to either:

- Set the sslcipher in the connection URL, or
- Set the default cipher during the connection to something reasonably
sensible to keep the ClientHello size down.

The cipher can be controlled by ssl_cipher on the server side, but this was
forgotten on the client side.

Regards,
Graham
--



--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

minfrin@sharp.fm writes:
> I am having trouble on an Ubuntu Xenial machine where the out-the-box psql
> refuses to connect to the out-the-box postgresql over SSL. The same setup
> worked on Ubuntu Trusty.

> Debugging reveals that the cipher list sent by the libpg client is too long
> (greater than 255 bytes), and this causes the postgresql server to slam down
> the phone, or it derails the client side enough that a bogus message "tlsv1
> alert unknown ca" is returned by the client.

This seems like an OpenSSL bug, not a Postgres bug.  libpq doesn't do
anything that determines cipher lists.
        regards, tom lane


-- 
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs