| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
| Cc: | Cameron Vogt <cvogt(at)automaticcontrols(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: TLS session tickets disabled? |
| Date: | 2024-08-16 08:11:32 |
| Message-ID: | 20FADBBF-886A-48ED-BB0A-6560D90424A6@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
> On 15 Aug 2024, at 21:33, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
>> On 15 Aug 2024, at 19:52, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> wrote:
>>
>> On Thu, Aug 15, 2024 at 10:36 AM Cameron Vogt
>> <cvogt(at)automaticcontrols(dot)net> wrote:
>>> I don't know enough about TLS handshakes and session tickets to know where the bug truly lies (PostgreSQL/OpenSSL vs .NET's SslStream).
>>
>> I'm getting the feeling that this is our bug, and that we should be
>> using both SSL_OP_NO_TICKET (for TLSv1.2) and SSL_CTX_set_num_tickets
>> (for TLSv1.3). I don't see any indication in the docs or source that
>> the latter does anything for 1.2.
>
> Thanks for copying me, I have been on vacation and had missed this thread. It
> does indeed have the smell of me messing up when reading the OpenSSL docs =(
The attached, backpatched all the way, should be the correct fix. Sorry for
the mess =(
--
Daniel Gustafsson
| Attachment | Content-Type | Size |
|---|---|---|
| fix.diff | application/octet-stream | 571 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marcin Barczyński | 2024-08-16 08:29:15 | REINDEX INDEX pg_catalog.pg_default_acl_role_nsp_obj_index stuck waiting for transaction from the future in PG 13.16 |
| Previous Message | Fire Emerald | 2024-08-16 07:49:27 | Re: TLS session tickets disabled? |