Should we back-patch SSL renegotiation fixes?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-hackers(at)postgreSQL(dot)org
Subject: Should we back-patch SSL renegotiation fixes?
Date: 2015-06-23 18:33:21
Message-ID: 5624.1435084401@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Those of you who have been following
http://www.postgresql.org/message-id/flat/1d3bc192-970d-4b70-a5fe-38d2a9f762b3(at)me(dot)com
are aware that Red Hat shipped a rather broken version of openssl last
week. While waiting for them to fix it, I've been poking at the behavior,
and have found out that PG 9.4 and later are much less badly broken than
older branches. In the newer branches you'll see a failure only after
transmitting 2GB within a session, whereas the older branches fail at
the second renegotiation attempt, which would typically be 1GB of data
and could be a lot less.

I do not know at this point whether these behaviors are really the same
bug or not, but I wonder whether it's time to consider back-patching the
renegotiation fixes we did in 9.4. Specifically, I think maybe we should
back-patch 31cf1a1a4, 86029b31e, and 36a3be654. (There are more changes
in master, but since those haven't yet shipped in any released branch,
and there's been a lot of other rework in the same area, those probably
are not back-patch candidates.)

Thoughts?

regards, tom lane

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2015-06-23 18:36:14 Re: pg_rewind failure by file deletion in source server
Previous Message Magnus Hagander 2015-06-23 18:14:42 Re: pg_stat_*_columns?