Re: More SSL crash woes

From: Jeff Amiel <jamiel(at)istreamimaging(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: More SSL crash woes
Date: 2008-04-08 20:02:03
Message-ID: 47FBCF3B.9020702@istreamimaging.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Tom Lane wrote:
> The previous thread suggested that you might have a problem with
> different bits of code being linked to different versions of libssl.
> Did you ever resolve that? Given the lack of other reports, I'm
> pretty suspicious that it's something like that, rather than a real
> bug in either slony or PG.
>

# ldd /usr/local/pgsql/bin/postgres
...
libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
# ldd /usr/local/pgsql/bin/slon
...
libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8

Now their are 2 subscriber nodes that connect to this node for slony
replication...
One is running the same version (libssl 0.9.8e) but one is running
0.9.7e-p1 2.
could this be an issue?

so let's ask what is different between my config and the rest of the
world....

The stack trace actually was one more level deep and the reference to
'output_cert_chain' got me thinking....
#0 0xfee8ec23 in sk_value () from /usr/local/ssl/lib/libcrypto.so.0.9.8
#1 0xfef5b05b in ssl3_output_cert_chain () from
/usr/local/ssl/lib/libssl.so.0.9.8
#2 0x00000000 in ?? ()

Is it unique that I use SSL for encryption but not for authentication?
I have no root.crt (and see the warning in my logs about "could not
load root certificate file "root.crt": No such file or directory. Will
not verify client certificates.")
Is this unusual? Do other people use SSL with postgres JUST for encryption?

Is there something wrong with the way we build/install libssl?
We currently do a pkgadd of the binary from sunfreeware:

/usr/sfw/bin/wget
ftp://ftp.sunfreeware.com/pub/freeware/intel/10/openssl-0.9.8e-sol10-x86-local.gz
gzip -d openssl-0.9.8e-sol10-x86-local.gz
pkgadd -d openssl-0.9.8e-sol10-x86-local

I went back an researched the nearly identical problems we were having
under FreeBSD and the stack trace (using a slightly different/older
version of libssl) looks like a different spot:

(gdb) bt
#0 0x2838e492 in SHA1_Init () from /lib/libcrypto.so.3
#1 0x2838a14a in X509_check_private_key () from /lib/libcrypto.so.3
#2 0x2838a459 in EVP_DigestInit_ex () from /lib/libcrypto.so.3

Any other thoughts?

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Jeff Amiel 2008-04-08 20:19:37 Re: More SSL crash woes
Previous Message Alvaro Herrera 2008-04-08 19:37:57 Re: Cannot use a standalone backend to VACUUM in "postgres""