> > > Doing SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF) > doesn't > > have any effect whatsoever - I still have the same issue (session id > > context uninitialized). I suspect session caching is an entirely > different > > feature from session tickets/RFC5077 (although it might still be a good > > idea to disable). > > Right, we expected that that would have no visible effect, because there > is no way to cache sessions in Postgres anyway. The main point, if I > understand Heikki's concern correctly, is that this might save some > amount of low-level overhead from clients trying to cache connections. >
OK, sounds right (i.e. this is a defensive measure that isn't directly connected to my problem but makes sense). > Doing SSL_CTX_set_options(context, SSL_OP_NO_TICKET) indeed resolves the > > issue, as expected. > > Excellent. I'll push this patch tomorrow sometime (too late/tired > right now). > Great. Do you think it's possible to backport to the other maintained branches as well, seeing as how this is quite trivial and low-impact? > > As I wrote above, I'd remove the #ifdef and execute it always. > > The reason I put the #ifdef in is that according to my research the > SSL_OP_NO_TICKET symbol was introduced in openssl 0.9.8f, while we > claim to support back to 0.9.8. I'd be the first to say that you're > nuts if you're running openssl versions that old; but this patch is not > something to move the compatibility goalposts for when it only takes > an #ifdef to avoid breaking older versions. > > (I need to check how far back SSL_SESS_CACHE_OFF goes ... we might > need an #ifdef for that too.) > Ah OK, thanks for the explanation - makes perfect sense.