Re: Problem with streaming replication over SSL

On Tue, Nov 6, 2012 at 12:47 PM, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>wrote:

> Magnus Hagander wrote:
> >> I have streaming replication configured over SSL, and
> >> there seems to be a problem with SSL renegotiation.
> [...]
> >> After that, streaming replication reconnects and resumes working.
> >>
> >> Is this an oversight in the replication protocol, or is this
> >> working as designed?
>
> > This sounds a lot like the general issue with SSL renegotiation, just
> that it tends to show itself
> > more often on replication connections since they don't disconnect very
> often...
> >
> > Have you tried disabling SSL renegotiation on the connection
> (ssl_renegotation=0)? If that helps, then
> > the SSL library on one of the ends still has the problem with
> renegotiation...
>
> It can hardly be the CVE-2009-3555 renegotiation problem.
>
> Both machines have OpenSSL 1.0.0, and RFC 5746 was implemented in
> 0.9.8m.
>

It certainly *sounds* like that problem though. Maybe RedHat carried along
the broken fix? It would surprise me, but given that it's openssl, not
hugely much so :)

It would be worth trying with ssl_renegotiation=0 to see if the problem
goes away.

But I'll try to test if normal connections have the problem too.
>

That would be a useful datapoint. All settings around this *should* happen
at a lower layer than the difference between a replication connection and a
regular one, but it would be good to confir mit.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/