From: | Paul Davis <paul(dot)joseph(dot)davis(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #5804: Connection aborted after many queries. |
Date: | 2010-12-29 16:59:01 |
Message-ID: | AANLkTi=tkyWAgNgawhAhREqP1DPudkvEp+3q-gOodx07@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Wed, Dec 29, 2010 at 11:27 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Paul Davis <paul(dot)joseph(dot)davis(at)gmail(dot)com> writes:
>> And this intriguing error in the server logs from around that time:
>
>> 2010-12-28 18:40:02 EST LOG: SSL renegotiation failure
>> 2010-12-28 18:40:02 EST LOG: SSL failed to send renegotiation request
>> 2010-12-28 18:40:02 EST LOG: SSL renegotiation failure
>> 2010-12-28 18:40:02 EST LOG: SSL error: unsafe legacy renegotiation disabled
>> 2010-12-28 18:40:02 EST LOG: could not send data to client:
>> Connection reset by peer
>> 2010-12-28 18:40:02 EST LOG: SSL error: unsafe legacy renegotiation disabled
>> 2010-12-28 18:40:02 EST LOG: could not receive data from client:
>> Connection reset by peer
>> 2010-12-28 18:40:02 EST LOG: unexpected EOF on client connection
>
>> Googling, I see something that suggests turning off SSL renegotiation
>> which I'll try next.
>
> In all cases, you were testing a client against a server on a different
> machine, right? This looks to me like you've got two different openssl
> libraries, one of which has a bogus partial fix for the recent SSL
> renegotiation security issue. I'm not sure what the state of play is
> in Apple's shipping version of openssl --- you might have to get an
> up-to-date source distribution and compile it yourself to have non-bogus
> renegotiation behavior. Or you could just disable renegotiation on the
> PG server.
>
> regards, tom lane
>
Yeah, all failures were between separate machines with various
versions of OpenSSL that I never thought to keep track of. After more
Googling I've found that OS X "fixed" the renegotiation issue by
disabling it in a security fix [1].
For the time being I'll just disable it server side as traffic isn't
ever routed across a public network.
Thanks for the help.
Paul Davis
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2010-12-29 17:34:18 | Re: BUG #5804: Connection aborted after many queries. |
Previous Message | Tom Lane | 2010-12-29 16:27:56 | Re: BUG #5804: Connection aborted after many queries. |