Re: Should we back-patch SSL renegotiation fixes?

Robert Haas wrote:
> On Tue, Jun 23, 2015 at 2:33 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> > I do not know at this point whether these behaviors are really the same
> > bug or not, but I wonder whether it's time to consider back-patching the
> > renegotiation fixes we did in 9.4. Specifically, I think maybe we should
> > back-patch 31cf1a1a4, 86029b31e, and 36a3be654. (There are more changes
> > in master, but since those haven't yet shipped in any released branch,
> > and there's been a lot of other rework in the same area, those probably
> > are not back-patch candidates.)

Yes, +1 for backpatching. Don't forget 5674460b and b1aebbb6.

I could reproduce problems trivially with COPY in psql without that and
a small renegotiation limit, as I recall.

> > Thoughts?
>
> I have no clear idea how safe it is to back-port these fixes.
>
> Just as a point of reference, we had a customer hit a problem similar
> to bug #12769 on 9.3.x. I think (but am not sure) that 272923a0a may
> have been intended to fix that issue.

Maybe we should *also* backpatch that, then (and if so, then also its
fixup 1c2b7c087). I do not think that the failure was introduced by
the fixes cited above.

> In a quick search, I didn't find any other complaints about
> renegotiation-related issues from our customers.

Other issues Andres was investigating seemed related to nonblocking
connections (which as I recall are used mostly by replication code).
Bug #12769 contained a link to the previous discussion.

--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services