Re: Should we back-patch SSL renegotiation fixes?

On Tue, Jun 23, 2015 at 3:48 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> On Tue, Jun 23, 2015 at 2:33 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> I do not know at this point whether these behaviors are really the same
>>> bug or not, but I wonder whether it's time to consider back-patching the
>>> renegotiation fixes we did in 9.4. Specifically, I think maybe we should
>>> back-patch 31cf1a1a4, 86029b31e, and 36a3be654. (There are more changes
>>> in master, but since those haven't yet shipped in any released branch,
>>> and there's been a lot of other rework in the same area, those probably
>>> are not back-patch candidates.)
>>>
>>> Thoughts?
>
>> I have no clear idea how safe it is to back-port these fixes.
>
> Well, it would mean that pre-9.5 branches all behave the same, which
> would be an improvement in my book. Also, ISTM that the 9.4 code
> for renegotiation assumes a whole lot less than prior branches about
> OpenSSL's internal behavior; so it ought to be more robust, even if
> some bugs remain.
>
>> Just as a point of reference, we had a customer hit a problem similar
>> to bug #12769 on 9.3.x. I think (but am not sure) that 272923a0a may
>> have been intended to fix that issue. In a quick search, I didn't
>> find any other complaints about renegotiation-related issues from our
>> customers.
>
> The problem with trying to adopt code from HEAD is that it probably
> depends on the rather invasive changes explained here:
> http://www.postgresql.org/message-id/20150126101405.GA31719@awork2.anarazel.de
> Even assuming that there's no dependency on the immediate-interrupt
> changes, I'm afraid to back-patch anything that invasive.

What commits actually resulted from that?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company