Re: Rare SSL failures on eelpout

On Wed, Mar 6, 2019 at 9:21 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Thomas Munro <thomas(dot)munro(at)gmail(dot)com> writes:
> > Bleugh. I think this OpenSSL package might just be buggy on ARM. On
> > x86, apparently the same version of OpenSSL and all other details of
> > the test the same, I can see that SSL_connect() returns <= 0
> > (failure), and then we ask for that cert revoked message directly and
> > never even reach the startup packet sending code. On ARM,
> > SSL_connect() returns 1 (success) and then we proceed as discussed and
> > eventually get the error later (or not). So I think I should figure
> > out a minimal repro and report this to them.
>
> Yeah, I've still been unable to reproduce even with the sleep idea,
> so eelpout is definitely looking like a special snowflake from here.
> In any case, there seems little doubt that getting past SSL_connect()
> when the cert check has failed is an OpenSSL bug; I don't feel a need
> to create a workaround for it.

I was wrong: it breaks on an x86 system for me too (either with the
sleep, or with clunky scheduling, I was running psql under strace when
I saw it). Not sure what I did wrong last time I tried that. I
opened a bug report with OpenSSL, let's see what they say:

https://github.com/openssl/openssl/issues/8500

--
Thomas Munro
https://enterprisedb.com