Re: SSL renegotiation is broken

Heikki Linnakangas wrote:
> On 02/11/2015 05:02 PM, Albe Laurenz wrote:
>> It seems that SSL renegotiation between the JDBC driver and
>> the PostgreSQL server is broken and has been forever, or at least
>> for a while.
>
> Hah, we're just discussing similar issues over at pgsql-hackers :-).

> I could reproduce this too, thanks for the test case. It looks like an
> OpenSSL bug to me.

> I've been reading on the subject in the last few days, and I think I'm
> enough up to speed now to understand this. I launched the test program
> in a debugger to see what messages are exchanged during the renegotiation.
>
> Renegotiation at the protocol level is always initiated by the Client.
> When the server wants to initiate it, it just sends a message to the
> client that means "hey, could you begin renegotiation, please?". The
> actual handshake goes something like this:
>
> C: ClientHello
> S: ServerHello (or a bunch of other messages?)
> S: ServerHelloDone
> C: ClientKeyExchange
> C: ChangeCipherSpec
> C: Finished
> S: ChangeCipherSpec
> S: Finished
>
> Now, what happens in this test case is that the client also sends
> ApplicationData messages between the ClientHello and Finished steps,
> interleaved with the above handshake messages. According to the TLS
> spec, that is allowed, but OpenSSL get confused by it.
>
> I can't come up with any way to work around that, unfortunately :-(.

Thanks for that, my further analysis corroborates your findings.

I have opened a bug with OpenSSL:
http://rt.openssl.org/Ticket/Display.html?id=3712&user=guest&pass=guest

But even if they fix it, it will take some time until Linux distributions
like RHEL will ship with a fixed version.

So it looks like the only option is for Java clients to run with
"ssl_renegotiation_limit=0" for the time being.

Yours,
Laurenz Albe