database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-22 02:52:08 +03:00
Code Activity

Simplify the way OpenSSL renegotiation is initiated in server.

Browse Source 
At least in all modern versions of OpenSSL, it is enough to call
SSL_renegotiate() once, and then forget about it. Subsequent SSL_write()
and SSL_read() calls will finish the handshake.

The SSL_set_session_id_context() call is unnecessary too. We only have
one SSL context, and the SSL session was created with that to begin with.
This commit is contained in:
Heikki Linnakangas
2015-02-13 21:46:08 +02:00
parent dc01efa5cc
commit 272923a0a6
1 changed files with 0 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/backend/libpq/be-secure-openssl.c
View File

@ -624,33 +624,10 @@ be_tls_write(Port *port, void *ptr, size_t len)
*/ */
SSL_clear_num_renegotiations(port->ssl); SSL_clear_num_renegotiations(port->ssl);
SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
sizeof(SSL_context));
if (SSL_renegotiate(port->ssl) <= 0) if (SSL_renegotiate(port->ssl) <= 0)
ereport(COMMERROR, ereport(COMMERROR,
(errcode(ERRCODE_PROTOCOL_VIOLATION), (errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("SSL failure during renegotiation start"))); errmsg("SSL failure during renegotiation start")));
else
{
int retries;
/*
* A handshake can fail, so be prepared to retry it, but only
* a few times.
*/
for (retries = 0;; retries++)
{
if (SSL_do_handshake(port->ssl) > 0)
break; /* done */
ereport(COMMERROR,
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("SSL handshake failure on renegotiation, retrying")));
if (retries >= 20)
ereport(FATAL,
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("could not complete SSL handshake on renegotiation, too many failures")));
}
}
} }
wloop: wloop: