| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Error-like LOG when connecting with SSL for password authentication |
| Date: | 2017-05-22 07:10:26 |
| Message-ID: | CAB7nPqSfyVV42Q2acFo=vrvF2gxoZAMJLAPq3S3KkjhZAYi7aw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi all,
When attempting to connect using password authentication through SSL,
the backend will complain in its log with the following entry before
calling sendAuthRequest(), which asks the client for a password:
LOG: could not receive data from client: Connection reset by peer
After a short talk with Heikki, it seems that be_tls_read() complains
on SSL_ERROR_ZERO_RETURN, which is documented here:
https://wiki.openssl.org/index.php/Manual:SSL_get_error(3)
The TLS/SSL connection has been closed. If the protocol version is SSL
3.0 or TLS 1.0, this result code is returned only if a closure alert
has occurred in the protocol, i.e. if the connection has been closed
cleanly. Note that in this case SSL_ERROR_ZERO_RETURN does not
necessarily indicate that the underlying transport has been closed.
As this is a clean shutdown of the SSL connection, shouldn't
be_tls_read() return 0 to the caller instead of -1? This would map
with what the non-SSL code path does for raw reads.
This is basically harmless, but the error message is confusing I
think, and there is no equivalent for the non-SSL code path.
Attached is an idea of patch.
Thoughts?
--
Michael
| Attachment | Content-Type | Size |
|---|---|---|
| ssl-read-commerr.patch | application/octet-stream | 2.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2017-05-22 07:10:55 | Re: Fix a typo in hash.c |
| Previous Message | Ashutosh Bapat | 2017-05-22 06:32:26 | Re: Partition-wise join for join between (declaratively) partitioned tables |