From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Dave Page <dpage(at)postgresql(dot)org> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, pgsql-patches(at)postgresql(dot)org |
Subject: | Re: OpenSSL Applink |
Date: | 2007-10-01 13:16:13 |
Message-ID: | 20071001131613.GJ387@svr2.hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
On Mon, Oct 01, 2007 at 02:37:44PM +0200, Magnus Hagander wrote:
> On Sat, Sep 29, 2007 at 09:01:16PM +0100, Dave Page wrote:
> > Tom Lane wrote:
> > > "Dave Page" <dpage(at)postgresql(dot)org> writes:
> > >>> From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
> > >>> ... It's not entirely clear whether BIO_new_fp() would avoid the
> > >>> problematic calls, but it doesn't look like it'd be hard to try.
> > >
> > >> The last version of the patch I posted uses BIO_new_file() in all cases, and (from memory) BIO_get_fp() in the non-win32 case to get a FILE* to pass to fstat.
> > >
> > > Did you manage to get rid of the bogus-error-message problem that
> > > afflicted the first version of the patch? If so, this way is fine.
> >
> > No, thats still an issue.
>
> A guess on this - probably the BIO stuff overwrites some internal OpenSSL
> "errno" value, causing the wrong error to be passed up. Most likely, it's
> not save to call BIO functions from inside the callback. My bet is that
> it'll actually break without this patch, if you stick something that's
> invalid in there. It's just taht we picked up the "does not exist" error
> without calling BIO functions.
>
> A quick peek at the OpenSSL sources seems to confirm this.
>
> I think we want to either attempt to load the client certificate before we
> connect (and before it's requested) and just queue up the error to show it
> in only if it's requested, or we want to try some magic around
> ERR_set_mark()/ERR_pop_to_mark() to clear out any BIO errors before we hand
> control back.
>
> I'll see if I can put together a poc patch - need to reproduce the problem
> first :-)
Just a quick followup - this is also reproducible on Unix:
mha(at)builder:~/inst-pg/head/bin$ PGSSLMODE=require ./psql -h localhost
postgres
psql: SSL SYSCALL error: Resource temporarily unavailable
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2007-10-01 13:34:01 | Re: OpenSSL Applink |
Previous Message | Marshall, Steve | 2007-10-01 13:01:45 | Re: TCL fix in HEAD |