From: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Andres Freund <andres(at)anarazel(dot)de>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: libpq copy error handling busted |
Date: | 2020-06-04 03:36:52 |
Message-ID: | CA+hUKGJ24GfO0HhADsyijGz1j_g==qTRjQcy3+ZmknGtFR0Wuw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jun 4, 2020 at 1:53 PM Thomas Munro <thomas(dot)munro(at)gmail(dot)com> wrote:
> On Thu, Jun 4, 2020 at 1:35 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Ah, it's better if I put the pqReadData call into *both* the paths
> > where 1f39a1c06 made pqSendSome give up. The attached patch seems
> > to fix the issue for the "pgbench -i" scenario, with either fast-
> > or immediate-mode server stop. I tried it with and without SSL too,
> > just to see. Still, it's not clear to me whether this might worsen
> > any of the situations we discussed in the lead-up to 1f39a1c06 [1].
> > Thomas, are you in a position to redo any of that testing?
It seems to be behave correctly in that scenario.
Here's what I tested. First, I put this into pgdata/postgresql.conf:
ssl=on
ssl_ca_file='root+client_ca.crt'
ssl_cert_file='server-cn-only.crt'
ssl_key_file='server-cn-only.key'
ssl_crl_file='root+client.crl'
ssl_min_protocol_version='TLSv1.2'
ssl_max_protocol_version='TLSv1.1'
ssl_min_protocol_version='TLSv1.2'
ssl_max_protocol_version=''
I copied the named files from src/test/ssl/ssl/ into pgdata, and I ran
chmod 600 on the .key file.
I put this into pgdata/pg_hba.conf at the top:
hostssl all all 127.0.0.1/32 cert clientcert=verify-full
I made a copy of src/test/ssl/ssl/client-revoked.key and ran chmod 600 on it.
Now on unpatched master I get:
$ psql "host=127.0.0.1 port=5432 dbname=postgres user=tmunro
sslcert=src/test/ssl/ssl/client-revoked.crt sslkey=client-revoked.key
sslmode=require"
psql: error: could not connect to server: SSL error: sslv3 alert
certificate revoked
It's the same if I add in this sleep in fe-connect.c:
+sleep(1);
/*
* Send the startup packet.
*
If I revert 1f39a1c0641531e0462a4822f2dba904c5d4d699 "Restructure
libpq's handling of send failures.", I get the error that eelpout
showed intermittently:
psql: error: could not connect to server: server closed the connection
unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
could not send startup packet: Connection reset by peer
I go back to master, and apply your patch. I get the expected error:
psql: error: could not connect to server: SSL error: sslv3 alert
certificate revoked
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2020-06-04 03:40:13 | Re: Parallel copy |
Previous Message | Tom Lane | 2020-06-04 02:46:26 | Re: [PATCH] Leading minus for negative time interval in ISO 8601 |