Thread: Backups and SSL
Hey all, I was wondering if something ran into this before and has some answers to what may have gone wrong here. I set up my local little test server to allow for SSL connections only as I was playing around with this. I had to restore a copy of a clients database on my machine to look at some data and pg_restore kept getting disconnected half way through restoring the backup with no explanation. Looking at the postgres logs I noticed a couple of entries related to a negotiation error on SSL. Not expecting much I changed my pg_hba file to allow for non secure connections and was suddenly able to restore this backup. I have had no issues with other backups since I switched my little test setup to using SSL but I'm eager to find out if this is a known issue with SSL and if something can be done about this. We're about to roll out a few setups that require SSL connections and I obviously want to make sure any backups made on these systems can be restored. Obviously on a production environment we'd be running the backup process on the server itself moving the resulting backup file off the server and there is no requirement to connect over SSL. Cheers, Bastiaan Olij e-mail/MSN: bastiaan@basenlily.me web: http://www.basenlily.me Skype: Mux213 http://www.linkedin.com/in/bastiaanolij
Bastiaan Olij <bastiaan@basenlily.me> writes:
> I was wondering if something ran into this before and has some answers
> to what may have gone wrong here. I set up my local little test server
> to allow for SSL connections only as I was playing around with this.
> I had to restore a copy of a clients database on my machine to look at
> some data and pg_restore kept getting disconnected half way through
> restoring the backup with no explanation. Looking at the postgres logs I
> noticed a couple of entries related to a negotiation error on SSL. Not
> expecting much I changed my pg_hba file to allow for non secure
> connections and was suddenly able to restore this backup.
> I have had no issues with other backups since I switched my little test
> setup to using SSL but I'm eager to find out if this is a known issue
> with SSL and if something can be done about this.
Was this dying after several hundred megabytes pushed across the SSL
connection? If so, it probably is a known issue: many vendors
lobotomized their SSL libraries' handling of renegotiation as a stopgap
solution for the security issue CVE-2009-3555, and not everybody has
adopted a real fix yet. If you are running a reasonably recent version
of PG (one released since 2010-02-25) you can work around this by
setting ssl_renegotiation_limit = 0 in postgresql.conf; but a better fix
would be to update to a non-lobotomized SSL library if possible. Note
that either the client- or server-side SSL library could be at fault.
regards, tom lane
Hi Tom, Thanks for that, sounds very likely to be the problem. Forgot to mention that this is running 8.4.6 on Mac OSX (Enterprise DB build) so a pretty new build. No idea what they are using for SSL libraries though. Cheers, Bas On 1/03/11 3:58 PM, Tom Lane wrote: > > Was this dying after several hundred megabytes pushed across the SSL > connection? If so, it probably is a known issue: many vendors > lobotomized their SSL libraries' handling of renegotiation as a stopgap > solution for the security issue CVE-2009-3555, and not everybody has > adopted a real fix yet. If you are running a reasonably recent version > of PG (one released since 2010-02-25) you can work around this by > setting ssl_renegotiation_limit = 0 in postgresql.conf; but a better fix > would be to update to a non-lobotomized SSL library if possible. Note > that either the client- or server-side SSL library could be at fault. > > regards, tom lane