Discussion:
[ADMIN] ssl3 errors in replication.
(too old to reply)
Mario Splivalo
2012-02-02 07:36:35 UTC
Permalink
I have these errors in my log files, occurring very often:

2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message

2012-02-02 01:05:58 CST [20507]: [301-1] user=,db= LOG: invalid magic
number 0000 in log file 970, segment 37, offset 15728640
2012-02-02 01:05:58 CST [4104]: [1-1] user=,db= LOG: streaming
replication successfully connected to primary
2012-02-02 01:14:28 CST [4104]: [2-1] user=,db= FATAL: could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message

2012-02-02 01:14:33 CST [20507]: [302-1] user=,db= LOG: unexpected
pageaddr 3C9/CBE6A000 in log file 970, segment 196, offset 15114240
2012-02-02 01:14:33 CST [4212]: [1-1] user=,db= LOG: streaming
replication successfully connected to primary
2012-02-02 01:15:10 CST [4212]: [2-1] user=,db= FATAL: could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message

2012-02-02 01:15:10 CST [20507]: [303-1] user=,db= LOG: unexpected
pageaddr 3C9/B0F80000 in log file 970, segment 227, offset 16252928
2012-02-02 01:15:10 CST [4269]: [1-1] user=,db= LOG: streaming
replication successfully connected to primary


These are happening every few minutes. This started happening when I
upgraded master and slave from 9.1.1 to 9.1.2 (upgrade was related to
often segfaulting of slave when additional load was put onto WALs - a
lot of DML on the master made slave segfault). Befure the upgrade I had
'sslv3 alert' issues maybe once every few days.

I've added another slave to the setup, and I have same issues there as
on the other slave - the difference is that the newly added slave has no
clients connected to it.

This is all set up on 64bit debian squeeze upgraded to latest packages,
where postgres 9.1.2 is installed from backports repositories:

postgres=# select version();
version

-------------------------------------------------------------------------------------------------------
PostgreSQL 9.1.2 on x86_64-unknown-linux-gnu, compiled by gcc-4.6.real
(Debian 4.6.2-9) 4.6.2, 64-bit
(1 row)
--
Sent via pgsql-admin mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Tom Lane
2012-02-02 16:16:14 UTC
Permalink
Post by Mario Splivalo
2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message
Google suggests that this might be caused by version or configuration
mismatches between openssl libraries on the master and slave machines.
One particular thing I'm wondering about is whether your openssl
libraries deal with the SSL renegotiation bug sanely (ie they've got
a fix for it that's less brain-dead than breaking the connection).

regards, tom lane
--
Sent via pgsql-admin mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Mario Splivalo
2012-02-02 16:15:58 UTC
Permalink
Post by Tom Lane
Post by Mario Splivalo
2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message
Google suggests that this might be caused by version or configuration
mismatches between openssl libraries on the master and slave machines.
One particular thing I'm wondering about is whether your openssl
libraries deal with the SSL renegotiation bug sanely (ie they've got
a fix for it that's less brain-dead than breaking the connection).
Is there a way I can force replication over non-ssl channel? All those
boxes are in my private network and ssl is a bit overhead there anyhow.

Mario
--
Sent via pgsql-admin mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Mario Splivalo
2012-02-02 16:24:09 UTC
Permalink
Post by Mario Splivalo
Post by Tom Lane
Post by Mario Splivalo
2012-02-02 01:05:53 CST [4103]: [2-1] user=,db= FATAL: could not
receive data from WAL stream: SSL error: sslv3 alert unexpected message
Google suggests that this might be caused by version or configuration
mismatches between openssl libraries on the master and slave machines.
One particular thing I'm wondering about is whether your openssl
libraries deal with the SSL renegotiation bug sanely (ie they've got
a fix for it that's less brain-dead than breaking the connection).
Is there a way I can force replication over non-ssl channel? All those
boxes are in my private network and ssl is a bit overhead there anyhow.
Reading the docs, it shouldn't use SSL when connecting.

Here is my recovery.conf on the slave:

standby_mode = 'on'
primary_conninfo = 'host=10.21.32.22 port=5432 user=replication
password=ueberseecret' # ded803
trigger_file = '/var/run/pg-trigger'

And here is excerpt from pg_hba.conf on master:

***@ded803:~# grep repl /etc/postgresql/9.1/main/pg_hba.conf | grep -v ^#
host replication replication 10.21.32.82/32 md5
host postgres replication 10.21.32.82/32 md5

(The second entry is for munin plugin on slave used to trend the slave lag.)

Mario
--
Sent via pgsql-admin mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Tom Lane
2012-02-02 16:45:38 UTC
Permalink
Post by Mario Splivalo
Reading the docs, it shouldn't use SSL when connecting.
I think you're misreading the docs. There's nothing in your
configuration that *forbids* an SSL connection, and libpq will try SSL
first unless configured otherwise. Try adding sslmode=disable.

regards, tom lane
--
Sent via pgsql-admin mailing list (pgsql-***@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Continue reading on narkive:
Loading...