Shay Rojansky <roji@roji.org> writes:
> I tested the patch.
Thanks!
> Doing SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF) doesn't
> have any effect whatsoever - I still have the same issue (session id
> context uninitialized). I suspect session caching is an entirely different
> feature from session tickets/RFC5077 (although it might still be a good
> idea to disable).
Right, we expected that that would have no visible effect, because there
is no way to cache sessions in Postgres anyway. The main point, if I
understand Heikki's concern correctly, is that this might save some
amount of low-level overhead from clients trying to cache connections.
> Doing SSL_CTX_set_options(context, SSL_OP_NO_TICKET) indeed resolves the
> issue, as expected.
Excellent. I'll push this patch tomorrow sometime (too late/tired
right now).
> As I wrote above, I'd remove the #ifdef and execute it always.
The reason I put the #ifdef in is that according to my research the
SSL_OP_NO_TICKET symbol was introduced in openssl 0.9.8f, while we
claim to support back to 0.9.8. I'd be the first to say that you're
nuts if you're running openssl versions that old; but this patch is not
something to move the compatibility goalposts for when it only takes
an #ifdef to avoid breaking older versions.
(I need to check how far back SSL_SESS_CACHE_OFF goes ... we might
need an #ifdef for that too.)
regards, tom lane