Simplify the way OpenSSL renegotiation is initiated in server.

At least in all modern versions of OpenSSL, it is enough to call
SSL_renegotiate() once, and then forget about it. Subsequent SSL_write()
and SSL_read() calls will finish the handshake.

The SSL_set_session_id_context() call is unnecessary too. We only have
one SSL context, and the SSL session was created with that to begin with.

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index d5f97122ff408f847bb59cabf48f6e51db3e2edd..d13ce334cccf8145c8882db3fd7e072d07e3847d 100644 (file)
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -624,33 +624,10 @@ be_tls_write(Port *port, void *ptr, size_t len)
         */
        SSL_clear_num_renegotiations(port->ssl);
 
-       SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
-                                  sizeof(SSL_context));
        if (SSL_renegotiate(port->ssl) <= 0)
            ereport(COMMERROR,
                    (errcode(ERRCODE_PROTOCOL_VIOLATION),
                     errmsg("SSL failure during renegotiation start")));
-       else
-       {
-           int         retries;
-
-           /*
-            * A handshake can fail, so be prepared to retry it, but only
-            * a few times.
-            */
-           for (retries = 0;; retries++)
-           {
-               if (SSL_do_handshake(port->ssl) > 0)
-                   break;  /* done */
-               ereport(COMMERROR,
-                       (errcode(ERRCODE_PROTOCOL_VIOLATION),
-                        errmsg("SSL handshake failure on renegotiation, retrying")));
-               if (retries >= 20)
-                   ereport(FATAL,
-                           (errcode(ERRCODE_PROTOCOL_VIOLATION),
-                            errmsg("could not complete SSL handshake on renegotiation, too many failures")));
-           }
-       }
    }
 
 wloop: