注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

gmd20的个人空间

// 编程和生活

 
 
 

日志

 
 

golang 的 lib pg 连接 postgresql时碰到SSL renegotiation failurei导致driver bad connection问题  

2015-07-28 10:26:15|  分类: 程序设计 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
1. 使用 golang  lib/pg https://github.com/lib/pq 去连接postgresql时候发生这个错误
-----------------
```
2015/07/27 17:48:30 main.go:392: driver: bad connection
```

出错的代码, rows.Err() 里面得到的错误
```go
  for rows.Next() {
    err = rows.Scan(&id, &typ, &status)
  }

  err = rows.Err() // get any error encountered during iteration
  if err != nil {
    log.Fatal(err)
  }
```

2.  查看postgresql的log,可以看到连接确实断开了
---------------
```
2015-07-27 17:48:30 CST [21997-51] user1@user1 LOG:  SSL renegotiation failure
2015-07-27 17:48:30 CST [21997-52] user1@user1 STATEMENT:  SELECT id,typ,status,
2015-07-27 17:48:30 CST [21997-53] user1@user1 LOG:  SSL error: ssl handshake failure
2015-07-27 17:48:30 CST [21997-54] user1@user1 STATEMENT:  SELECT id,typ,status,
2015-07-27 17:48:30 CST [21997-55] user1@user1 LOG:  could not send data to client: Connection reset by peer
2015-07-27 17:48:30 CST [21997-56] user1@user1 STATEMENT:  SELECT id,typ,status,
2015-07-27 17:48:30 CST [21997-57] user1@user1 FATAL:  connection to client lost
2015-07-27 17:48:30 CST [21997-58] user1@user1 STATEMENT:  SELECT id,typ,status,
```

看上去是  SSL renegotiation failure 的错误




3.  在网上找到一个官方的issue,说是golang 暂时还是不支持"renegotiation"的
---------------------------
crypto/tls: does not support renegotiation #5742
https://github.com/golang/go/issues/5742

“TLS renegotiation" 的client端的实现不支持这个功能,因为 “IETF RFC” 都没解决这个导致"triple-handshake attacks[1]" 的问题

参考这个链接
https://www.secure-resumption.com/
Triple Handshakes Considered Harmful
Breaking and Fixing Authentication over TLS

暂时没看到官方有修复的说法。

只能找其他办法了。


4. 在postgresql里面可以关闭这个选项
-----------------------------------
```
ssl_renegotiation_limit (integer)
Specifies how much data can flow over an SSL-encrypted connection before renegotiation of the session keys will take place. Renegotiation decreases an attacker's chances of doing cryptanalysis when large amounts of traffic can be examined, but it also carries a large performance penalty. The sum of sent and received traffic is used to check the limit. If this parameter is set to 0, renegotiation is disabled. The default is 512MB.

Note: SSL libraries from before November 2009 are insecure when using SSL renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix for this vulnerability, some vendors shipped SSL libraries incapable of doing renegotiation. If any such libraries are in use on the client or server, SSL renegotiation should be disabled.
```

默认的限制是 512M,怪不的流量越大越快重现这个问题。 改成 0 ,重启postgresql 应该就解决问题了。
  评论这张
 
阅读(293)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017