Re: BUG #18907: SSL error: bad length failure during transfer data in pipeline mode with libpq

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
Cc: BATBAATAR Dorjpalam <htgn(dot)dbat(dot)95(at)gmail(dot)com>, pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #18907: SSL error: bad length failure during transfer data in pipeline mode with libpq
Date: 2025-06-09 17:02:52
Message-ID: 495420.1749488572@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

I wrote:
> For a real fix, the narrowest answer would be to not round down
> toSend if we are using an SSL connection. I wonder though if
> the round-down behavior is of any use with GSSAPI either, or
> more generally if it's sensible for anything except a Unix-pipe
> connection.

Indeed, it looks like we'd better disable the round-down for GSSAPI
too, because pg_GSS_write has exactly this same API requirement that
caller has to pass at least as much data as last time.

Interestingly, we got a report of such a failure with GSSAPI
awhile ago, and "fixed" it in commit d053a879b. Apparently
the test case we were looking at then did not trigger this
specific pattern involving pqFlush followed by pqPutMsgEnd,
because that commit did not do anything to prevent this
failure pattern.

I'm disinclined to revert what d053a879b did, but we'd better
remove or update this comment:

+ * Note: it may seem attractive to report partial write completion once
+ * we've successfully sent any encrypted packets. However, that can cause
+ * problems for callers; notably, pqPutMsgEnd's heuristic to send only
+ * full 8K blocks interacts badly with such a hack. We won't save much,
+ * typically, by letting callers discard data early, so don't risk it.

regards, tom lane

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Andrus 2025-06-09 20:40:34 Re: tlsv1 alert unknown ca error on cert authentication
Previous Message Jacob Champion 2025-06-09 15:39:17 Re: tlsv1 alert unknown ca error on cert authentication