On Fri, Dec 19, 2014 at 11:52 AM, Christoph Berg <c...@df7cb.de> wrote: > > Re: Chris Butler 2014-12-19 < > 1155204201.65430.1418975376728.javamail.zim...@zedcore.com> > > One of our servers is currently running on postgres 9.2 using the > 9.2.9-1.pgdg70+1 packages from pgdg. > > > > After an apt update this morning which brought in the libpq5 package > version 9.4.0-1.pgdg70+1, connections to the database started failing with > SSL errors logged on the server: > > > > [unknown] [unknown] LOG: could not accept SSL connection: digest too > big for rsa key > > > > Rolling back the server and client to libpq5 version 9.3.5-2.pgdg70+1 > fixed it. > > > > This is running on an otherwise up-to-date Debian Wheezy. The SSL > certificate is locally issued using an internal CA which has been added to > the local trust store. SSL-related config options are left set to the > defaults. > > Hi Chris, > > thanks for the report. > > Googling for "digest too big for rsa key" seems to indicate that this > problem occurs when you are using (client?) certificates with short > RSA keys. 512 bits is most often cited in the problem reports, > something like 768 is around the minimum size that works, and of > course, anything smaller than 1024 or really 1536 (or 2048) bits is > too small for today's crypto standards. > > So the question here is if this is also the problem you saw - are you > using client or server certificates with short keys? > > What this explanation doesn't explain is why the problem occurs with > 9.4's libpq5 while it works with 9.3's. The libssl version used for > building these packages should really be the same, 9.3.5-2.pgdg70+1 > was built just two days ago as well. > > I'm CCing -hackers, maybe someone there has an idea. >
Some googling shows that this could be because it's negotiating TLS 1.2 which the key is just too small for. And we did change that in 9.4 - commit 326e1d73c476a0b5061ef00134bdf57aed70d5e7 disabled SSL in favor of always using TLS for security reasons. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/