Magnus Hagander wrote: >>>> I have streaming replication configured over SSL, and >>>> there seems to be a problem with SSL renegotiation. >> [...] >>>> After that, streaming replication reconnects and resumes working. >>>> >>>> Is this an oversight in the replication protocol, or is this >>>> working as designed?
>>> This sounds a lot like the general issue with SSL renegotiation, just >>> that it tends to show itself >>> more often on replication connections since they don't disconnect very >>> often... >>> >>> Have you tried disabling SSL renegotiation on the connection >>> (ssl_renegotation=0)? If that helps, then >>> the SSL library on one of the ends still has the problem with >>> renegotiation... >> It can hardly be the CVE-2009-3555 renegotiation problem. >> >> Both machines have OpenSSL 1.0.0, and RFC 5746 was implemented >> in 0.9.8m. > It certainly *sounds* like that problem though. Maybe RedHat carried > along the broken fix? It would surprise me, but given that it's > openssl, not hugely much so :) > > It would be worth trying with ssl_renegotiation=0 to see if the problem > goes away. I tried, and that makes the problem go away. This is to be expected of course, because no renegotiation will take place with that setting. >> But I'll try to test if normal connections have the problem too. > That would be a useful datapoint. All settings around this *should* > happen at a lower layer than the difference between a replication > connection and a regular one, but it would be good to confir mit. I tried, and a normal data connection does not have the problem. I transferred more than 0.5 GB of data (at which point renegotiation should take place), and there was no error. Does it make sense to try and take a stack trace of the problem, on primary or standby? Yours, Laurenz Albe -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
