Re: SSL renegotiation

On Thu, Jul 11, 2013 at 4:20 AM, Alvaro Herrera
<alvherre(at)2ndquadrant(dot)com> wrote:

> I'm having a look at the SSL support code, because one of our customers
> reported it behaves unstably when the network is unreliable. I have yet
> to reproduce the exact problem they're having, but while reading the
> code I notice this in be-secure.c:secure_write() :

The recap of my experiences you requested...

I first saw SSL renegotiation failures on Ubuntu 10.04 LTS (Lucid)
with openssl 0.9.8 (something). I think this was because SSL
renegotiation had been disabled due to due to CVE 2009-3555 (affecting
all versions before 0.9.8l). I think the version now in lucid is
0.9.8k with fixes for SSL renegotiation, but I haven't tested this.

The failures I saw with no-renegotiation-SSL for streaming replication
looked like this:

On the master:

2012-06-25 16:16:26 PDT LOG: SSL renegotiation failure
2012-06-25 16:16:26 PDT LOG: SSL error: unexpected record
2012-06-25 16:16:26 PDT LOG: could not send data to client: Connection
reset by peer

On the hot standby:

2012-06-25 11:12:11 PDT FATAL: could not receive data from WAL stream:
SSL error: sslv3 alert unexpected message
2012-06-25 11:12:11 PDT LOG: record with zero length at 1C5/95D2FE00

Now I'm running Ubuntu 12.04 LTS (Precise) with openssl 1.0.1, and I
think all the known renegotiation issues have been dealt with. I still
get failures, but they are less informative:

<postgres(at)[unknown]:19761> 2013-03-15 03:55:12 UTC LOG: SSL
renegotiation failure

--
Stuart Bishop <stuart(at)stuartbishop(dot)net>
http://www.stuartbishop.net/