On Wed, Dec 29, 2010 at 11:27 AM, Tom Lane <[email protected]> wrote: > Paul Davis <[email protected]> writes: >> And this intriguing error in the server logs from around that time: > >> 2010-12-28 18:40:02 EST LOG: SSL renegotiation failure >> 2010-12-28 18:40:02 EST LOG: SSL failed to send renegotiation request >> 2010-12-28 18:40:02 EST LOG: SSL renegotiation failure >> 2010-12-28 18:40:02 EST LOG: SSL error: unsafe legacy renegotiation disabled >> 2010-12-28 18:40:02 EST LOG: could not send data to client: >> Connection reset by peer >> 2010-12-28 18:40:02 EST LOG: SSL error: unsafe legacy renegotiation disabled >> 2010-12-28 18:40:02 EST LOG: could not receive data from client: >> Connection reset by peer >> 2010-12-28 18:40:02 EST LOG: unexpected EOF on client connection > >> Googling, I see something that suggests turning off SSL renegotiation >> which I'll try next. > > In all cases, you were testing a client against a server on a different > machine, right? This looks to me like you've got two different openssl > libraries, one of which has a bogus partial fix for the recent SSL > renegotiation security issue. I'm not sure what the state of play is > in Apple's shipping version of openssl --- you might have to get an > up-to-date source distribution and compile it yourself to have non-bogus > renegotiation behavior. Or you could just disable renegotiation on the > PG server. > > regards, tom lane >
Yeah, all failures were between separate machines with various versions of OpenSSL that I never thought to keep track of. After more Googling I've found that OS X "fixed" the renegotiation issue by disabling it in a security fix [1]. For the time being I'll just disable it server side as traffic isn't ever routed across a public network. Thanks for the help. Paul Davis [1] http://support.apple.com/kb/HT4004 -- Sent via pgsql-bugs mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
