On Tue, Nov 6, 2012 at 12:47 PM, Albe Laurenz <laurenz.a...@wien.gv.at>wrote:
> Magnus Hagander wrote: > >> I have streaming replication configured over SSL, and > >> there seems to be a problem with SSL renegotiation. > [...] > >> After that, streaming replication reconnects and resumes working. > >> > >> Is this an oversight in the replication protocol, or is this > >> working as designed? > > > This sounds a lot like the general issue with SSL renegotiation, just > that it tends to show itself > > more often on replication connections since they don't disconnect very > often... > > > > Have you tried disabling SSL renegotiation on the connection > (ssl_renegotation=0)? If that helps, then > > the SSL library on one of the ends still has the problem with > renegotiation... > > It can hardly be the CVE-2009-3555 renegotiation problem. > > Both machines have OpenSSL 1.0.0, and RFC 5746 was implemented in > 0.9.8m. > It certainly *sounds* like that problem though. Maybe RedHat carried along the broken fix? It would surprise me, but given that it's openssl, not hugely much so :) It would be worth trying with ssl_renegotiation=0 to see if the problem goes away. But I'll try to test if normal connections have the problem too. > That would be a useful datapoint. All settings around this *should* happen at a lower layer than the difference between a replication connection and a regular one, but it would be good to confir mit. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
