projects / users / bernd / postgres.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dc01efa)
Simplify the way OpenSSL renegotiation is initiated in server.
authorHeikki Linnakangas <heikki.linnakangas@iki.fi>
Fri, 13 Feb 2015 19:46:08 +0000 (21:46 +0200)
committerHeikki Linnakangas <heikki.linnakangas@iki.fi>
Fri, 13 Feb 2015 19:46:08 +0000 (21:46 +0200)
At least in all modern versions of OpenSSL, it is enough to call
SSL_renegotiate() once, and then forget about it. Subsequent SSL_write()
and SSL_read() calls will finish the handshake.

The SSL_set_session_id_context() call is unnecessary too. We only have
one SSL context, and the SSL session was created with that to begin with.

src/backend/libpq/be-secure-openssl.c patch | blob | blame | history

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index d5f97122ff408f847bb59cabf48f6e51db3e2edd..d13ce334cccf8145c8882db3fd7e072d07e3847d 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -624,33 +624,10 @@ be_tls_write(Port *port, void *ptr, size_t len)
                 */
                SSL_clear_num_renegotiations(port->ssl);
 
-               SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
-                                                                  sizeof(SSL_context));
                if (SSL_renegotiate(port->ssl) <= 0)
                        ereport(COMMERROR,
                                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                                         errmsg("SSL failure during renegotiation start")));
-               else
-               {
-                       int                     retries;
-
-                       /*
-                        * A handshake can fail, so be prepared to retry it, but only
-                        * a few times.
-                        */
-                       for (retries = 0;; retries++)
-                       {
-                               if (SSL_do_handshake(port->ssl) > 0)
-                                       break;  /* done */
-                               ereport(COMMERROR,
-                                               (errcode(ERRCODE_PROTOCOL_VIOLATION),
-                                                errmsg("SSL handshake failure on renegotiation, retrying")));
-                               if (retries >= 20)
-                                       ereport(FATAL,
-                                                       (errcode(ERRCODE_PROTOCOL_VIOLATION),
-                                                        errmsg("could not complete SSL handshake on renegotiation, too many failures")));
-                       }
-               }
        }
 
 wloop:
Bernd Helmle's repository