Re: Problem with streaming replication over SSL

Magnus Hagander wrote:
>>>> I have streaming replication configured over SSL, and
>>>> there seems to be a problem with SSL renegotiation.
>> [...]
>>>> After that, streaming replication reconnects and resumes working.
>>>>
>>>> Is this an oversight in the replication protocol, or is this
>>>> working as designed?

>>> This sounds a lot like the general issue with SSL renegotiation, just
>>> that it tends to show itself
>>> more often on replication connections since they don't disconnect very
>>> often...
>>>
>>> Have you tried disabling SSL renegotiation on the connection
>>> (ssl_renegotation=0)? If that helps, then
>>> the SSL library on one of the ends  still has the problem with
>>> renegotiation...

>> It can hardly be the CVE-2009-3555 renegotiation problem.
>>
>> Both machines have OpenSSL 1.0.0, and RFC 5746 was implemented
>> in 0.9.8m.

> It certainly *sounds* like that problem though. Maybe RedHat carried
> along the broken fix? It would surprise me, but given that it's
> openssl, not hugely much so :)
>
> It would be worth trying with ssl_renegotiation=0 to see if the problem
> goes away.

I tried, and that makes the problem go away.
This is to be expected of course, because no
renegotiation will take place with that setting.

>> But I'll try to test if normal connections have the problem too.

> That would be a useful datapoint. All settings around this *should*
> happen at a lower layer than the difference between a replication
> connection and a regular one, but it would be good to confir mit. 

I tried, and a normal data connection does not have the
problem. I transferred more than 0.5 GB of data (at which
point renegotiation should take place), and there was no error.

Does it make sense to try and take a stack trace of the
problem, on primary or standby?

Yours,
Laurenz Albe