Обсуждение: [BUGS] BUG #14893: libpq SSL ClientHello too long,no option to set ciphers or affect cipher list length
[BUGS] BUG #14893: libpq SSL ClientHello too long,no option to set ciphers or affect cipher list length
От
minfrin@sharp.fm
Дата:
The following bug has been logged on the website: Bug reference: 14893 Logged by: Graham Leggett Email address: minfrin@sharp.fm PostgreSQL version: 9.5.9 Operating system: Ubuntu Xenial Description: Hi all, I am having trouble on an Ubuntu Xenial machine where the out-the-box psql refuses to connect to the out-the-box postgresql over SSL. The same setup worked on Ubuntu Trusty. Debugging reveals that the cipher list sent by the libpg client is too long (greater than 255 bytes), and this causes the postgresql server to slam down the phone, or it derails the client side enough that a bogus message "tlsv1 alert unknown ca" is returned by the client. We need a way to either: - Set the sslcipher in the connection URL, or - Set the default cipher during the connection to something reasonably sensible to keep the ClientHello size down. The cipher can be controlled by ssl_cipher on the server side, but this was forgotten on the client side. Regards, Graham -- -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
minfrin@sharp.fm writes: > I am having trouble on an Ubuntu Xenial machine where the out-the-box psql > refuses to connect to the out-the-box postgresql over SSL. The same setup > worked on Ubuntu Trusty. > Debugging reveals that the cipher list sent by the libpg client is too long > (greater than 255 bytes), and this causes the postgresql server to slam down > the phone, or it derails the client side enough that a bogus message "tlsv1 > alert unknown ca" is returned by the client. This seems like an OpenSSL bug, not a Postgres bug. libpq doesn't do anything that determines cipher lists. regards, tom lane -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs