Re: 12.1 not useable: clientlib fails after a dozen queries (GSSAPI ?)
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Peter <pmc@citylink.dinoex.sub.org>
Cc: pgsql-hackers@lists.postgresql.org, Stephen Frost <sfrost@snowman.net>
Date: 2020-01-10T17:59:09Z
Lists: pgsql-hackers, pgsql-general
Attachments
- check-gssenc-data-transport-1.patch (text/x-diff) patch
- regress_log_001_auth (text/plain)
[ redirecting to -hackers ] Peter <pmc@citylink.dinoex.sub.org> writes: > But I just recognize something of interest (which I had taken for > granted when importing the database): the flaw does NOT appear when > accessing the database from the server's local system (with TCP and > GSSAPI encryption active). Only from remote system. > But then, if I go on the local system, and change the mtu: > # ifconfig lo0 mtu 1500 > and restart the server, then I get the exact same errors locally. Oh-ho, that is interesting. Looking at our regression tests for gssenc, I observe that they only try to transport a negligible amount of data (viz, single-row boolean results). So we'd not notice any problem that involved multiple-packet messages. I modified the kerberos test so that it tries a query with a less negligible amount of data, and what I find is: * passes on Fedora 30, with either default or 1500 mtu * passes on FreeBSD 12.0 with default mtu * FAILS on FreeBSD 12.0 with mtu = 1500 I haven't run it further to ground than that, but there's definitely something fishy here. Based on just these results one would be hard pressed to say if it's our bug or FreeBSD's, but your report that you don't see the failure with PG 11 makes it sound like our problem. OTOH, I also find that there's some hysteresis in the behavior: once it's failed, reverting the mtu to the default setting doesn't necessarily make subsequent runs pass. It's really hard to explain that behavior if it's our bug. I tested today's HEAD of our code with up-to-date FreeBSD 12.0-RELEASE-p12 running on amd64 bare metal, no jails or emulators or VIMAGE or anything. Attached are proposed test patch, as well as client-side regression log output from a failure. (There's no evidence of distress in the postmaster log, same as your report.) regards, tom lane
Commits
-
Extensive code review for GSSAPI encryption mechanism.
- fde155424f67 12.2 landed
- 2c0cdc818365 13.0 landed