Paul Davis <paul.joseph.davis@gmail.com> writes:
> And this intriguing error in the server logs from around that time:
> 2010-12-28 18:40:02 EST LOG: SSL renegotiation failure
> 2010-12-28 18:40:02 EST LOG: SSL failed to send renegotiation request
> 2010-12-28 18:40:02 EST LOG: SSL renegotiation failure
> 2010-12-28 18:40:02 EST LOG: SSL error: unsafe legacy renegotiation disabled
> 2010-12-28 18:40:02 EST LOG: could not send data to client:
> Connection reset by peer
> 2010-12-28 18:40:02 EST LOG: SSL error: unsafe legacy renegotiation disabled
> 2010-12-28 18:40:02 EST LOG: could not receive data from client:
> Connection reset by peer
> 2010-12-28 18:40:02 EST LOG: unexpected EOF on client connection
> Googling, I see something that suggests turning off SSL renegotiation
> which I'll try next.
In all cases, you were testing a client against a server on a different
machine, right? This looks to me like you've got two different openssl
libraries, one of which has a bogus partial fix for the recent SSL
renegotiation security issue. I'm not sure what the state of play is
in Apple's shipping version of openssl --- you might have to get an
up-to-date source distribution and compile it yourself to have non-bogus
renegotiation behavior. Or you could just disable renegotiation on the
PG server.
regards, tom lane