Re: Should we back-patch SSL renegotiation fixes?

On Tue, Jun 23, 2015 at 2:33 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Those of you who have been following
> http://www.postgresql.org/message-id/flat/1d3bc192-970d-4b70-a5fe-38d2a9f762b3(at)me(dot)com
> are aware that Red Hat shipped a rather broken version of openssl last
> week. While waiting for them to fix it, I've been poking at the behavior,
> and have found out that PG 9.4 and later are much less badly broken than
> older branches. In the newer branches you'll see a failure only after
> transmitting 2GB within a session, whereas the older branches fail at
> the second renegotiation attempt, which would typically be 1GB of data
> and could be a lot less.
>
> I do not know at this point whether these behaviors are really the same
> bug or not, but I wonder whether it's time to consider back-patching the
> renegotiation fixes we did in 9.4. Specifically, I think maybe we should
> back-patch 31cf1a1a4, 86029b31e, and 36a3be654. (There are more changes
> in master, but since those haven't yet shipped in any released branch,
> and there's been a lot of other rework in the same area, those probably
> are not back-patch candidates.)
>
> Thoughts?

I have no clear idea how safe it is to back-port these fixes.

Just as a point of reference, we had a customer hit a problem similar
to bug #12769 on 9.3.x. I think (but am not sure) that 272923a0a may
have been intended to fix that issue. In a quick search, I didn't
find any other complaints about renegotiation-related issues from our
customers.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company