Re: BUG #14329: libpq doesn't send complete client certificate chain on first SSL connection

On 10/04/2016 09:55 PM, Heikki Linnakangas wrote:
> I'm starting to feel that using the same SSL_CTX object for multiple
> connections is just too fragile. Perhaps we could share one SSL_CTX
> object for all the connections with no sslcert and no sslrootcert, but
> I'm not sure if even that is worth it.
>
> In quick testing, calling SSL_CTX_new() for each connection adds about
> 3% of overhead to establishing a new connection, with the default
> OpenSSL settings (seems to use ECDHE-RSA-AES256-GCM-SHA384 cipher here).
> I also tested memory usage with a program that opens 10000 connections,
> and it used about 15% more memory, when SSL_CTX_new() is called for each
> connection. I think that's acceptable. Barring objections, I'm going to
> write a patch to use a separate SSL context for every connection.

I came up with the attached patch for this. As threatened, it uses a
separate SSL context for each connection. That simplifies the code
somewhat, and fixes the bugs. Kacper's test case is included in this.
(This is for git master, stable branches will need small tweaking to
make the patch apply.)

Did some more testing with "pgbench -C". The overhead on establishing a
connection is a bit higher than I saw initially, about 6%, when
sslmode=verify-ca is used. Might be more with more complex certificate
chains. I think that's still acceptable. If you have an application that
establishes SSL connections so frequently that that matters, you should
reconsider your design.

- Heikki