Re: Backups and SSL

Bastiaan Olij <bastiaan@basenlily.me> writes:
> I was wondering if something ran into this before and has some answers
> to what may have gone wrong here. I set up my local little test server
> to allow for SSL connections only as I was playing around with this.

> I had to restore a copy of a clients database on my machine to look at
> some data and pg_restore kept getting disconnected half way through
> restoring the backup with no explanation. Looking at the postgres logs I
> noticed a couple of entries related to a negotiation error on SSL. Not
> expecting much I changed my pg_hba file to allow for non secure
> connections and was suddenly able to restore this backup.

> I have had no issues with other backups since I switched my little test
> setup to using SSL but I'm eager to find out if this is a known issue
> with SSL and if something can be done about this.

Was this dying after several hundred megabytes pushed across the SSL
connection?  If so, it probably is a known issue: many vendors
lobotomized their SSL libraries' handling of renegotiation as a stopgap
solution for the security issue CVE-2009-3555, and not everybody has
adopted a real fix yet.  If you are running a reasonably recent version
of PG (one released since 2010-02-25) you can work around this by
setting ssl_renegotiation_limit = 0 in postgresql.conf; but a better fix
would be to update to a non-lobotomized SSL library if possible.  Note
that either the client- or server-side SSL library could be at fault.

            regards, tom lane