Thanks, Michael, that's it, indeed! I had missed that part of the
OpenSSL docs. These PG instances are running on Ubuntu Focal hosts that come
with OpenSSL 1.1.1.
OpenSSL docs. These PG instances are running on Ubuntu Focal hosts that come
with OpenSSL 1.1.1.
We had never seen these in the previous Xenial images because those
were using OpenSSL 1.0.2, and from what I've seen the bug was introduced
in 1.1.0.
were using OpenSSL 1.0.2, and from what I've seen the bug was introduced
in 1.1.0.
Thanks again,
Carla
On Wed, Jan 19, 2022 at 5:42 AM Michael Paquier <michael@xxxxxxxxxxx> wrote:
On Mon, Jan 17, 2022 at 05:05:52PM +0100, Carla Iriberri wrote:
> I saw previous discussions where different errors were logged with the
> "Success"
> message and this was corrected/treated as a bug, but I couldn't find similar
> reports specific to "could not accept SSL connection". Is this a known
> issue or
> case?
Not based my recent mailing list memories, but I may be running short.
The error comes from the backend as you say, where this log would
expect something in saved_errno to feed %m.
And, upstream documentation tells that:
https://www.openssl.org/docs/manmaster/man3/SSL_get_error.html
"On an unexpected EOF, versions before OpenSSL 3.0 returned
SSL_ERROR_SYSCALL, nothing was added to the error stack, and errno was
0. Since OpenSSL 3.0 the returned error is SSL_ERROR_SSL with a
meaningful error on the error stack."
This would mean that relying on %m would be wrong for this case. And
I guess that you are using a version of OpenSSL older than 3.0?
--
Michael
