Re: BUG #5804: Connection aborted after many queries.

On Wed, Dec 29, 2010 at 11:27 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Paul Davis <paul.joseph.davis@gmail.com> writes:
>> And this intriguing error in the server logs from around that time:
>
>> 2010-12-28 18:40:02 EST LOG: =A0SSL renegotiation failure
>> 2010-12-28 18:40:02 EST LOG: =A0SSL failed to send renegotiation request
>> 2010-12-28 18:40:02 EST LOG: =A0SSL renegotiation failure
>> 2010-12-28 18:40:02 EST LOG: =A0SSL error: unsafe legacy renegotiation d=
isabled
>> 2010-12-28 18:40:02 EST LOG: =A0could not send data to client:
>> Connection reset by peer
>> 2010-12-28 18:40:02 EST LOG: =A0SSL error: unsafe legacy renegotiation d=
isabled
>> 2010-12-28 18:40:02 EST LOG: =A0could not receive data from client:
>> Connection reset by peer
>> 2010-12-28 18:40:02 EST LOG: =A0unexpected EOF on client connection
>
>> Googling, I see something that suggests turning off SSL renegotiation
>> which I'll try next.
>
> In all cases, you were testing a client against a server on a different
> machine, right? =A0This looks to me like you've got two different openssl
> libraries, one of which has a bogus partial fix for the recent SSL
> renegotiation security issue. =A0I'm not sure what the state of play is
> in Apple's shipping version of openssl --- you might have to get an
> up-to-date source distribution and compile it yourself to have non-bogus
> renegotiation behavior. =A0Or you could just disable renegotiation on the
> PG server.
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0regards, tom lane
>

Yeah, all failures were between separate machines with various
versions of OpenSSL that I never thought to keep track of. After more
Googling I've found that OS X "fixed" the renegotiation issue by
disabling it in a security fix [1].
For the time being I'll just disable it server side as traffic isn't
ever routed across a public network.

Thanks for the help.

Paul Davis


[1] http://support.apple.com/kb/HT4004