I wrote:
> Thomas Munro <thomas.munro@gmail.com> writes:
>> This was an intentional change in TLS1.3, reducing round trips by
>> verifying the client certificate later.
> Ugh. So probably we can reproduce it elsewhere if we use cutting-edge
> OpenSSL versions.
I installed OpenSSL 1.1.1a on my Mac laptop. I got through 100 cycles
of the ssl tests without a problem, which is not too surprising because
longfin has been running on pretty much the exact same software stack
since late November, and it has not shown the problem. However ...
I threw in the sleep() where you advised in fe-connect.c, and kaboom!
t/001_ssltests.pl .. 67/75
# Failed test 'certificate authorization fails with revoked client cert: matches'
# at t/001_ssltests.pl line 375.
# 'psql: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# could not send startup packet: Broken pipe
# '
# doesn't match '(?^:SSL error)'
t/001_ssltests.pl .. 74/75
# Failed test 'intermediate client certificate is missing: matches'
# at t/001_ssltests.pl line 411.
# 'psql: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# could not send startup packet: Broken pipe
# '
# doesn't match '(?^:SSL error)'
# Looks like you failed 2 tests of 75.
t/001_ssltests.pl .. Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/75 subtests
t/002_scram.pl ..... ok
It seems quite repeatable this way.
So that confirms that it's the OpenSSL version that is critical,
and that you need a very new version to make it fail.
I shall now see about fixing it...
regards, tom lane