summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Lane2011-07-24 19:17:51 +0000
committerTom Lane2011-07-24 19:17:51 +0000
commitd0c23026b2499ba9d6797359241ade076a5a677d (patch)
tree63b3e34c4b13423364b5a1ae73a5c086c949d1fe
parent081a5518c0a7dcccfc76a12ae9d593648b68ce53 (diff)
Use OpenSSL's SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag.
This disables an entirely unnecessary "sanity check" that causes failures in nonblocking mode, because OpenSSL complains if we move or compact the write buffer. The only actual requirement is that we not modify pending data once we've attempted to send it, which we don't. Per testing and research by Martin Pihlak, though this fix is a lot simpler than his patch. I put the same change into the backend, although it's less clear whether it's necessary there. We do use nonblock mode in some situations in streaming replication, so seems best to keep the same behavior in the backend as in libpq. Back-patch to all supported releases.
-rw-r--r--src/backend/libpq/be-secure.c6
-rw-r--r--src/interfaces/libpq/fe-secure.c6
2 files changed, 12 insertions, 0 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index f84ef5d506..4e8faa4f35 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -737,6 +737,12 @@ initialize_SSL(void)
SSLerrmessage())));
/*
+ * Disable OpenSSL's moving-write-buffer sanity check, because it
+ * causes unnecessary failures in nonblocking send cases.
+ */
+ SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+
+ /*
* Load and verify server's certificate and private key
*/
if (SSL_CTX_use_certificate_chain_file(SSL_context,
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index cd1292ccb6..9319f972c8 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -757,6 +757,12 @@ init_ssl_system(PGconn *conn)
#endif
return -1;
}
+
+ /*
+ * Disable OpenSSL's moving-write-buffer sanity check, because it
+ * causes unnecessary failures in nonblocking send cases.
+ */
+ SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
}
#ifdef ENABLE_THREAD_SAFETY