Re: Rare SSL failures on eelpout

I wrote:
> Thomas Munro <thomas(dot)munro(at)gmail(dot)com> writes:
>> This was an intentional change in TLS1.3, reducing round trips by
>> verifying the client certificate later.

> Ugh. So probably we can reproduce it elsewhere if we use cutting-edge
> OpenSSL versions.

I installed OpenSSL 1.1.1a on my Mac laptop. I got through 100 cycles
of the ssl tests without a problem, which is not too surprising because
longfin has been running on pretty much the exact same software stack
since late November, and it has not shown the problem. However ...
I threw in the sleep() where you advised in fe-connect.c, and kaboom!

t/001_ssltests.pl .. 67/75
# Failed test 'certificate authorization fails with revoked client cert: matches'
# at t/001_ssltests.pl line 375.
# 'psql: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# could not send startup packet: Broken pipe
# '
# doesn't match '(?^:SSL error)'
t/001_ssltests.pl .. 74/75
# Failed test 'intermediate client certificate is missing: matches'
# at t/001_ssltests.pl line 411.
# 'psql: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# could not send startup packet: Broken pipe
# '
# doesn't match '(?^:SSL error)'
# Looks like you failed 2 tests of 75.
t/001_ssltests.pl .. Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/75 subtests
t/002_scram.pl ..... ok

It seems quite repeatable this way.

So that confirms that it's the OpenSSL version that is critical,
and that you need a very new version to make it fail.

I shall now see about fixing it...

regards, tom lane