Re: [HACKERS] SSL renegotiation and other related woes

2015-02-13 Thread Heikki Linnakangas
On 02/12/2015 01:41 AM, Andres Freund wrote: Hi, On 2015-02-05 23:03:02 +0200, Heikki Linnakangas wrote: On 01/26/2015 12:14 PM, Andres Freund wrote: Hi, When working on getting rid of ImmediateInterruptOK I wanted to verify that ssl still works correctly. Turned out it didn't. But neither

Re: [HACKERS] SSL renegotiation and other related woes

2015-02-12 Thread Heikki Linnakangas
On 02/12/2015 01:33 AM, Andres Freund wrote: On 2015-02-11 14:54:03 +0200, Heikki Linnakangas wrote: Thoughts? Can you reproduce any errors with this? I'm on battery right now, so I can't really test much. Did you test having an actual standby instead of pg_receivexlog? I saw some slightly

Re: [HACKERS] SSL renegotiation and other related woes

2015-02-11 Thread Andres Freund
On 2015-02-11 14:54:03 +0200, Heikki Linnakangas wrote: Thoughts? Can you reproduce any errors with this? I'm on battery right now, so I can't really test much. Did you test having an actual standby instead of pg_receivexlog? I saw some slightly different errors there. Does this patch alone

Re: [HACKERS] SSL renegotiation and other related woes

2015-02-11 Thread Andres Freund
Hi, On 2015-02-05 23:03:02 +0200, Heikki Linnakangas wrote: On 01/26/2015 12:14 PM, Andres Freund wrote: Hi, When working on getting rid of ImmediateInterruptOK I wanted to verify that ssl still works correctly. Turned out it didn't. But neither did it in master. Turns out there's two

Re: [HACKERS] SSL renegotiation and other related woes

2015-02-11 Thread Heikki Linnakangas
On 02/05/2015 11:03 PM, Heikki Linnakangas wrote: On 01/26/2015 12:14 PM, Andres Freund wrote: Can we work-around that easily? I believe we can. The crucial part is that we mustn't let SSL_write() to process any incoming application data. We can achieve that if we always call SSL_read() to drain

Re: [HACKERS] SSL renegotiation and other related woes

2015-02-05 Thread Heikki Linnakangas
On 01/26/2015 12:14 PM, Andres Freund wrote: Hi, When working on getting rid of ImmediateInterruptOK I wanted to verify that ssl still works correctly. Turned out it didn't. But neither did it in master. Turns out there's two major things we do wrong: 1) We ignore the rule that once called

[HACKERS] SSL renegotiation and other related woes

2015-01-26 Thread Andres Freund
Hi, When working on getting rid of ImmediateInterruptOK I wanted to verify that ssl still works correctly. Turned out it didn't. But neither did it in master. Turns out there's two major things we do wrong: 1) We ignore the rule that once called and returning SSL_ERROR_WANTS_(READ|WRITE)

Re: [HACKERS] SSL renegotiation and other related woes

2015-01-26 Thread Andres Freund
On 2015-01-26 11:14:05 +0100, Andres Freund wrote: My testcase for this is just to setup a server with a low ssl_renegotiation_limit, generate lots of WAL (wal.sql attached) and receive data via pg_receivexlog -n. Usually it'll error out quickly. ... Greetings, Andres Freund -- Andres