If SSL negotiation fails and SSLMODE is 'prefer', then retry without SSL.

Negotiation failure is only likely to happen if one side or the other is misconfigured, eg. bad client certificate. I'm not 100% convinced that a retry is really the best thing, hence not back-patching this fix for now. Per gripe from Sergio Cinos.

If SSL negotiation fails and SSLMODE is 'prefer', then retry without SSL.
Negotiation failure is only likely to happen if one side or the other is misconfigured, eg. bad client certificate. I'm not 100% convinced that a retry is really the best thing, hence not back-patching this fix for now. Per gripe from Sergio Cinos.
bcd713a6 · Tom Lane · cc6c10a7 · bcd713a6
隐藏空白更改
内联并排

Showing with 20 addition and 1 deletion

src/interfaces/libpq/fe-connect.c src/interfaces/libpq/fe-connect.c +20 -1

未找到文件。
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.338 2006/10/06 17:14:00 petere Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.339 2006/11/21 16:28:00 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -1400,6 +1400,25 @@ keep_going:						/* We will come back to here until there is
 					conn->status = CONNECTION_MADE;
 					return PGRES_POLLING_WRITING;
 				}
+				if (pollres == PGRES_POLLING_FAILED)
+				{
+					/*
+					 * Failed ... if sslmode is "prefer" then do a non-SSL
+					 * retry
+					 */
+					if (conn->sslmode[0] == 'p' /* "prefer" */
+						&& conn->allow_ssl_try	/* redundant? */
+						&& !conn->wait_ssl_try) /* redundant? */
+					{
+						/* only retry once */
+						conn->allow_ssl_try = false;
+						/* Must drop the old connection */
+						closesocket(conn->sock);
+						conn->sock = -1;
+						conn->status = CONNECTION_NEEDED;
+						goto keep_going;
+					}
+				}
 				return pollres;
 #else							/* !USE_SSL */
 				/* can't get here */