On Tue, Jun 23, 2015 at 2:33 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Those of you who have been following > http://www.postgresql.org/message-id/flat/1d3bc192-970d-4b70-a5fe-38d2a9f76...@me.com > are aware that Red Hat shipped a rather broken version of openssl last > week. While waiting for them to fix it, I've been poking at the behavior, > and have found out that PG 9.4 and later are much less badly broken than > older branches. In the newer branches you'll see a failure only after > transmitting 2GB within a session, whereas the older branches fail at > the second renegotiation attempt, which would typically be 1GB of data > and could be a lot less. > > I do not know at this point whether these behaviors are really the same > bug or not, but I wonder whether it's time to consider back-patching the > renegotiation fixes we did in 9.4. Specifically, I think maybe we should > back-patch 31cf1a1a4, 86029b31e, and 36a3be654. (There are more changes > in master, but since those haven't yet shipped in any released branch, > and there's been a lot of other rework in the same area, those probably > are not back-patch candidates.) > > Thoughts?
I have no clear idea how safe it is to back-port these fixes. Just as a point of reference, we had a customer hit a problem similar to bug #12769 on 9.3.x. I think (but am not sure) that 272923a0a may have been intended to fix that issue. In a quick search, I didn't find any other complaints about renegotiation-related issues from our customers. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
