Re: Problem with streaming replication over SSL

On Tue, Nov 6, 2012 at 10:47 AM, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>wrote:

> I have streaming replication configured over SSL, and
> there seems to be a problem with SSL renegotiation.
>
> This is from the primary's log:
>
> 2012-11-06 00:13:10.990
> CET,"replication","",5204,"10.153.109.3:49889",509843df.1454,10,"streami
> ng 1E3/76D64000",2012-11-05 23:55:27 CET,4/0,0,LOG,08P01,"SSL
> renegotiation failure",,,,,,,,,"walreceiver"
>
> 2012-11-06 00:13:10.998
> CET,"replication","",5204,"10.153.109.3:49889",509843df.1454,11,"streami
> ng 1E3/76D64000",2012-11-05 23:55:27 CET,4/0,0,LOG,08P01,"SSL error:
> unexpected record",,,,,,,,,"walreceiver"
>
> 2012-11-06 00:13:10.998
> CET,"replication","",5204,"10.153.109.3:49889",509843df.1454,12,"streami
> ng 1E3/76D64000",2012-11-05 23:55:27 CET,4/0,0,LOG,08006,"could not send
> data to client: Connection reset by peer",,,,,,,,,"walreceiver"
>
> This is what the standby has to say:
>
> 2012-11-06 00:13:11.001 CET,,,26789,,509843df.68a5,2,,2012-11-05
> 23:55:27 CET,,0,FATAL,XX000,"could not receive data from WAL stream: SSL
> error: sslv3 alert unexpected message
> ",,,,,,,,,""
>
> This is PostgreSQL 9.1.3 on RHEL 6, openssl-1.0.0-20.el6.x86_64,
> kernel 2.6.32-220.el6.x86_64.
>
>
> After that, streaming replication reconnects and resumes working.
>
> Is this an oversight in the replication protocol, or is this
> working as designed?
>
>
This sounds a lot like the general issue with SSL renegotiation, just that
it tends to show itself more often on replication connections since they
don't disconnect very often...

Have you tried disabling SSL renegotiation on the connection
(ssl_renegotation=0)? If that helps, then the SSL library on one of the
ends still has the problem with renegotiation...

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/