CRE-2025-0035

psycopg2 SSL error due to thread or forked process stateCritical

Impact: 7/10

Mitigation: 6/10

CRE-2025-0035View on GitHub

SslPsycopg2ForkThreadsDjangoInstrumentationOpentelemetryKnown IssuePublic

Description

Applications using psycopg2 with OpenTelemetry instrumentation or threading may fail with SSL-related errors such as "decryption failed or bad record mac". This often occurs when a database connection is created before a fork or from an unsafe thread context, causing the SSL state to become invalid.

Mitigation

- Ensure all PostgreSQL connections are created after any forks (e.g., inside a worker thread or process). - Avoid sharing DB connections across threads or subprocesses. - If using uWSGI or gunicorn, configure with `--lazy-apps` or use gevent/thread-aware worker models. - Optionally disable OpenTelemetry DB instrumentation if it interferes with connection tracing.

References

• https://github.com/psycopg/psycopg2/issues/684
• https://github.com/open-telemetry/opentelemetry-python/issues/1393
• https://www.postgresql.org/message-id/flat/CAMsr+YEY0JzwW9aEiXtTG1EXw9uOsT0X5aNq27gk3BNyULmGPw@mail.gmail.com