I was playing around with 7.3.1 and found some more SSL problems. The first, that I missed when checking over 7.3.1, was that the client method was switched to SSLv23 along with the server. The SSLv23 client method does SSLv2 by default, but can also understand SSLv3. In our situation the SSLv2 backwords compatibility is really only needed on the server. This is the first patch.
The second was that renegotiation was just plain broken. I can't believe I
didn't notice this before -- once 64k was sent to/from the server the client
would crash. Basicly, in 7.3 the server SSL code set the initial state to
"about to renegotiate" without actually starting the renegotiation. In
addition, the server and client didn't properly handle the
SSL_ERROR_WANT_(READ|WRITE) error. This is fixed in the second patch.
The last thing is that I found a way for the server to understand SSLv2 HELLO
messages (sent by pre-7.3 clients) but then get them to talk SSLv3. This is the
last one.
Hopefully this is the end of the SSL fixes. I've ran some pretty heavy stress
tests against a patched installation and I haven't noticed any problems yet.
Then again, I didn't notice the renegotiation problems until yesterday...
--Nate
sslpatch.1
Description: Binary data
sslpatch.2
Description: Binary data
sslpatch.3
Description: Binary data
---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
