CRE-2025-0035

psycopg2 SSL error due to thread or forked process stateCritical

Impact: 7/10

Mitigation: 6/10

CRE-2025-0035View on GitHub

SslPsycopg2ForkThreadsDjangoInstrumentationOpentelemetryKnown IssuePublic

Description

Applications using psycopg2 with OpenTelemetry instrumentation or threading may fail with SSL-related errors such as "decryption failed or bad record mac". This often occurs when a database connection is created before a fork or from an unsafe thread context, causing the SSL state to become invalid.

Cause

This error results from unsafe interaction between OpenSSL, process forks, and threading. psycopg2 uses libpq, which in turn uses OpenSSL. If a fork occurs after a connection is established, or if shared SSL state is accessed across threads unsafely, PostgreSQL may reject the connection with SSL-level errors.

Mitigation

• Ensure all PostgreSQL connections are created after any forks (e.g., inside a worker thread or process).
• Avoid sharing DB connections across threads or subprocesses.
• If using uWSGI or gunicorn, configure with `--lazy-apps` or use gevent/thread-aware worker models.
• Optionally disable OpenTelemetry DB instrumentation if it interferes with connection tracing.

References

• https://github.com/psycopg/psycopg2/issues/684
• https://github.com/open-telemetry/opentelemetry-python/issues/1393
• https://www.postgresql.org/message-id/flat/CAMsr+YEY0JzwW9aEiXtTG1EXw9uOsT0X5aNq27gk3BNyULmGPw@mail.gmail.com