On Tue, Nov 6, 2012 at 12:47 PM, Albe Laurenz <laurenz.albe@xxxxxxxxxx> wrote:
Magnus Hagander wrote:[...]
>> I have streaming replication configured over SSL, and
>> there seems to be a problem with SSL renegotiation.
>> After that, streaming replication reconnects and resumes working.It can hardly be the CVE-2009-3555 renegotiation problem.
>>
>> Is this an oversight in the replication protocol, or is this
>> working as designed?
> This sounds a lot like the general issue with SSL renegotiation, just
that it tends to show itself
> more often on replication connections since they don't disconnect very
often...
>
> Have you tried disabling SSL renegotiation on the connection
(ssl_renegotation=0)? If that helps, then
> the SSL library on one of the ends still has the problem with
renegotiation...
Both machines have OpenSSL 1.0.0, and RFC 5746 was implemented in
0.9.8m.
It certainly *sounds* like that problem though. Maybe RedHat carried along the broken fix? It would surprise me, but given that it's openssl, not hugely much so :)
It would be worth trying with ssl_renegotiation=0 to see if the problem goes away.
But I'll try to test if normal connections have the problem too.
That would be a useful datapoint. All settings around this *should* happen at a lower layer than the difference between a replication connection and a regular one, but it would be good to confir mit.
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
