libpq thread locking during SSL connection start

Поиск
Список
Период
Сортировка
От Stephen Frost
Тема libpq thread locking during SSL connection start
Дата
Msg-id 20130801142443.GO2706@tamriel.snowman.net
обсуждение исходный текст
Ответы Re: libpq thread locking during SSL connection start  (Alvaro Herrera <alvherre@2ndquadrant.com>)
Список pgsql-hackers
Дерево обсуждения 
All,
 I wanted to highlight the below commit as being a significant enough change that it warrents being seen on -hackers
andnot just -committers.  If you use SSL with libpq, particularly in a threaded mode/environment, please take a
look/testthis change.  Prior to the patch, we would crash pretty easily when using client certificates with multiple
threads;I was unable to get it to crash after the patch.  That said, there's also risk that this patch will cause
slow-downsin SSL connections when using threads due to the additional locking.  I'm not sure that's a heavily used
case,but none-the-less, if you do that, please considering testing this patch. 
  Thanks!
      Stephen

----- Forwarded message from Stephen Frost <sfrost@snowman.net> -----

Date: Thu, 01 Aug 2013 05:33:12 +0000
From: Stephen Frost <sfrost@snowman.net>
To: pgsql-committers@postgresql.org
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=hamversion=3.3.2
Subject: [COMMITTERS] pgsql: Add locking around SSL_context usage in libpq

Add locking around SSL_context usage in libpq

I've been working with Nick Phillips on an issue he ran into when
trying to use threads with SSL client certificates.  As it turns out,
the call in initialize_SSL() to SSL_CTX_use_certificate_chain_file()
will modify our SSL_context without any protection from other threads
also calling that function or being at some other point and trying to
read from SSL_context.

To protect against this, I've written up the attached (based on an
initial patch from Nick and much subsequent discussion) which puts
locks around SSL_CTX_use_certificate_chain_file() and all of the other
users of SSL_context which weren't already protected.

Nick Phillips, much reworked by Stephen Frost

Back-patch to 9.0 where we started loading the cert directly instead of
using a callback.

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/aad2a630b1b163038ea904e16a59e409020f5828

Modified Files
--------------
src/interfaces/libpq/fe-secure.c |   56 ++++++++++++++++++++++++++++++++++++--
1 file changed, 53 insertions(+), 3 deletions(-)


--
Sent via pgsql-committers mailing list (pgsql-committers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-committers

----- End forwarded message -----

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Andres Freund
Дата:
Сообщение: Re: Re: ALTER SYSTEM SET command to change postgresql.conf parameters (RE: Proposal for Allow postgresql.conf values to be changed via SQL [review])
Следующее
От: David Johnston
Дата:
Сообщение: Re: How to configer the pg_hba record which the database name with "\n" ?