Re: More SSL patches

Patch applied to HEAD and 7.3.2. Thanks for the fixes, Nathan.

---------------------------------------------------------------------------

Nathan Mueller wrote:
> I was playing around with 7.3.1 and found some more SSL problems. The first,
> that I missed when checking over 7.3.1, was that the client method was switched
> to SSLv23 along with the server. The SSLv23 client method does SSLv2 by
> default, but can also understand SSLv3. In our situation the SSLv2 backwords
> compatibility is really only needed on the server. This is the first patch.
>
> The second was that renegotiation was just plain broken. I can't believe I
> didn't notice this before -- once 64k was sent to/from the server the client
> would crash. Basicly, in 7.3 the server SSL code set the initial state to
> "about to renegotiate" without actually starting the renegotiation. In
> addition, the server and client didn't properly handle the
> SSL_ERROR_WANT_(READ|WRITE) error. This is fixed in the second patch.
>
> The last thing is that I found a way for the server to understand SSLv2 HELLO
> messages (sent by pre-7.3 clients) but then get them to talk SSLv3. This is the
> last one.
>
> Hopefully this is the end of the SSL fixes. I've ran some pretty heavy stress
> tests against a patched installation and I haven't noticed any problems yet.
> Then again, I didn't notice the renegotiation problems until yesterday...
>
> --Nate
>

[ Attachment, skipping... ]

[ Attachment, skipping... ]

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073