BUG #12769: SSL-Renegotiation failures

The following bug has been logged on the website:

Bug reference: 12769
Logged by: Arne Scheffer
Email address: pilum(dot)70(at)uni-muenster(dot)de
PostgreSQL version: 9.3.6
Operating system: CentOS6, openssl version OpenSSL 1.0.1e-fips
Description:

I get ssl renegotiation failures with streaming standbys. Sometimes the
connection breaks and is reconnected afterwards. However, if I use
pg_basebackup (same libpq connection string), I don't get any of these
failures, allthough the transferred data ist far beyond 512 MB
So I don't think it's the
ssl renegotiation bug (openssl of a yum update patched centos6)
If I disable ssl_renegotiation_limit to 0, there are no errors any more,
but that is only a workaround, no solution.

Steps to reproduce with testdata:

Tested on patched centos6, Postgresql 9.3.6

bash-4.1$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Install Repository

yum install postgresql93 postgresql93-server postgresql93-contrib
postgresql93-devel postgresql93-libs

/usr/pgsql-9.3/bin/initdb -D /tmp/data1

Not necessary but comfortable: create two postgresql-93test Init-Scripts (cp
/etc/init.d/postgresql-9.3 postgresql-93test)
- changing data-Directory to /tmp/data1 und /tmp/data2
- changing PGPORT to yourport and yourport2

Start server in data1
On server in data1:
create user replicateme with replication encrypted password "insecure";

<#####
postgresql.conf:
ssl = on
listen_addresses = 'yourserver.domain.com'
wal_level = hot_standby
# 4GB fuer WAL-Segmente:
wal_keep_segments = 256
max_wal_senders = 2
#####>

Certificates installed

<##### only 1 line:
pg_hba.conf:
hostssl replication ...
#####>

usr/pgsql-9.3/bin/pg_basebackup -D /tmp/data2 -v -P -Fp -l testsslbackup -x
-d "host=yourserver.domain.com port=yourport user=replicator
sslmode=verify-full"

<####
recovery.conf:

recovery_target_timeline = 'latest'
standby_mode = 'on'
primary_conninfo = 'host=yourserver.domain.com port=yourport user=replicator
sslmode=verify-full'
#####>

Start standby server in data2

On server in data1:

create database test
\c test
create table test2 (a int, b text);
insert into test2 (select generate_series(0,5000000,1));
update test2 set
b='sljfdlksjaofjsaolfjsdlkofjdolasjfoldsjfoldsjaolfjdloksjfolajsdflkjsdlokfjslojdalkfjoldsjfoslafjolasljfdloas';

tail -f /tmp/data1/pg_log/postgresql-Fri.log
[...]
< 2015-02-13 18:09:55.964 CET >LOG: SSL renegotiation failure
[...]
< 2015-02-13 18:10:11.819 CET >LOG: SSL renegotiation failure
[...]

usr/pgsql-9.3/bin/pg_basebackup -D /tmp/data3 -v -P -Fp -l testsslbackup2 -x
-d "host=yourserver.domain.com port=yourport user=replicator
sslmode=verify-full"

tail -f /tmp/data1/pg_log/postgresql-Fri.log
--> nothing!