[Pkg-openssl-devel] Bug#751093: openssl: ccs received early from postgres client since installing 1.0.1e-2+deb7u10
Ian Chard
ian at mysociety.org
Tue Jun 10 09:45:23 UTC 2014
Package: openssl
Version: 1.0.1e-2+deb7u10
Severity: important
Since installing 1.0.1e-2+deb7u10 on my postgres client, I'm seeing this
error after 50-150MB of data has been transferred from the server:
PG::Error: SSL error: ccs received early (ActiveRecord::StatementInvalid)
My postgres server is still on squeeze and so has openssl 0.9.8o-4squeeze14.
I note that 1.0.1e-2+deb7u10 restricts where a CCS is acceptable (to fix
CVE-2014-0224), and a Wireshark trace shows the last few packets between
client (c) and server (s):
c->s: Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message
s->c: Change Cipher Spec, Encrypted Handshake Message
c->s: Encrypted Alert
c->s: TCP reset
The only other CCS in the trace was shortly after the connection was opened.
There doesn't seem to be any explicit code in postgres that sends a CCS, so
I'm suspecting that the latest patch is too strict in some way.
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl depends on:
ii libc6 2.13-38
ii libssl1.0.0 1.0.1e-2+deb7u10
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119
-- no debconf information
More information about the Pkg-openssl-devel
mailing list