| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Should we back-patch SSL renegotiation fixes? |
| Date: | 2015-06-24 16:26:53 |
| Message-ID: | 3029.1435163213@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andres Freund <andres(at)anarazel(dot)de> writes:
> On 2015-06-24 11:57:53 -0400, Peter Eisentraut wrote:
>> If Red Hat fixes their bug, then PostgreSQL doesn't have any actual
>> problem anymore, does it?
> It does, there are numerous bugs around renegotiation that exist with
> upstream openssl and postgres. More in the older branches, but even in
> HEAD we break regularly. Most only occur in replication connections (due
> to copy both) and/or when using more complex clients where clients and
> servers send data at the same time due to pipelining.
The lesson to learn from the Red Hat fiasco is that vendors are not
adequately testing renegotiation either. All the more reason to get
out from under it. I did not like being told that "Postgres fails and
$randomapp doesn't, therefore it's Postgres' problem" when actually
the difference was that $randomapp doesn't invoke renegotiation.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2015-06-24 16:34:44 | Re: Removing SSL renegotiation (Was: Should we back-patch SSL renegotiation fixes?) |
| Previous Message | Andres Freund | 2015-06-24 16:01:51 | Re: Should we back-patch SSL renegotiation fixes? |