From 1c2b7c0879d83ff79e4adf2c0a883df92b713da4 Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Mon, 16 Feb 2015 22:34:32 +0200 Subject: [PATCH] Restore the SSL_set_session_id_context() call to OpenSSL renegotiation. This reverts the removal of the call in commit (272923a0). It turns out it wasn't superfluous after all: without it, renegotiation fails if a client certificate was used. The rest of the changes in that commit are still OK and not reverted. Per investigation of bug #12769 by Arne Scheffer, although this doesn't fix the reported bug yet. --- src/backend/libpq/be-secure-openssl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 37af6e4fda..b06f987b3f 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -595,6 +595,10 @@ be_tls_write(Port *port, void *ptr, size_t len, int *waitfor) */ SSL_clear_num_renegotiations(port->ssl); + /* without this, renegotiation fails when a client cert is used */ + SSL_set_session_id_context(port->ssl, (void *) &SSL_context, + sizeof(SSL_context)); + if (SSL_renegotiate(port->ssl) <= 0) ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION),