Thread: BUG #14432: sslmode=allow causing authentication to time out

VGhlIGZvbGxvd2luZyBidWcgaGFzIGJlZW4gbG9nZ2VkIG9uIHRoZSB3ZWJz
aXRlOgoKQnVnIHJlZmVyZW5jZTogICAgICAxNDQzMgpMb2dnZWQgYnk6ICAg
ICAgICAgIEFubnVuemlhdG8gVG9jY2kKRW1haWwgYWRkcmVzczogICAgICBu
dW56aW90b2NjaTIwMDBAZ21haWwuY29tClBvc3RncmVTUUwgdmVyc2lvbjog
OS42LjEKT3BlcmF0aW5nIHN5c3RlbTogICBGZWRvcmEgMjQsIDY0LWJpdApE
ZXNjcmlwdGlvbjogICAgICAgIAoKSSBoYXZlIGEgcHJvamVjdCB0aGF0IGV4
cG9zZXMgYSBkYXRhYmFzZSB3aXRoIGFuIEFQSSwgYW5kIG15IHRlc3Qgc3Vp
dGVzCmhhdmUgYSBwcm9ibGVtDQoNCkkgc2VuZCAxMDAgbG9naW4gcmVxdWVz
dHMgdG8gUG9zdGdyZVNRTCwgYW5kIDItMyBvZiB0aGVtIGNvbWUgYmFjayAy
IG1pbnV0ZXMKbGF0ZXIgc2F5aW5nICJzZXJ2ZXIgY2xvc2VkIHRoZSBjb25u
ZWN0aW9uIHVuZXhwZWN0ZWRseSIsIGFuZCB0aGUgc2VydmVyCmxvZ3Mgc2F5
ICJjYW5jZWxpbmcgYXV0aGVudGljYXRpb24gZHVlIHRvIHRpbWVvdXQiLg0K
DQpJdCBpcyByZXByb2R1Y2libGUgb24gTGludXggc3lzdGVtcywgYnV0IEkg
aGF2ZW4ndCB5ZXQgdGVzdGVkIDkuNiBvbiBtYWNPUwpvciBXaW5kb3dzIDEw
Lg0KDQpJIHRyYWNrZWQgaXQgZG93biB0byBzc2xtb2RlPWFsbG93LiBUaGUg
YmVsb3cgc2NyaXB0IHJlcHJvZHVjZXMgdGhlCnByb2JsZW0uDQoNCiMgdGhp
cyBvbmx5IHNheXMgInRvbyBtYW55IGNsaWVudHMiDQokIC4vdGVzdC5zaCBk
aXNhYmxlIA0KDQojIHRoaXMgc2F5cyAidG9vIG1hbnkgY2xpZW50cyIsIGlu
dGVyc3BlcnNlZCB3aXRoICJzZXJ2ZXIgY2xvc2VkIHRoZQpjb25uZWN0aW9u
IHVuZXhwZWN0ZWRseSIgZXJyb3JzLCBidXQgdGhlIGxvZ3MgZG9uJ3Qgc2F5
ICJjYW5jZWxpbmcKYXV0aGVudGljYXRpb24gZHVlIHRvIHRpbWVvdXQiDQok
IC4vdGVzdC5zaCBhbGxvdw0KDQpJIGJlbGlldmUgaXQgaXMgdGhlIHNhbWUg
dW5kZXJseWluZyBwcm9ibGVtLCBidXQgdGhlcmUgYXJlIHNsaWdodGx5CmRp
ZmZlcmVudCBlcnJvcnMgYXMgZGVzY3JpYmVkIGFib3ZlLg0KDQpCZWdpbiBz
Y3JpcHQ6DQpgYGANCiMhL2Jpbi9zaA0KDQpybSAtcmYgZGF0YV90ZXN0DQoN
CmluaXRkYiAtRCBkYXRhX3Rlc3QgLUUgVVRGOCAtVSBwb3N0Z3Jlcw0KZWNo
byAidW5peF9zb2NrZXRfZGlyZWN0b3JpZXM9Jy90bXAnIiA+PiBkYXRhX3Rl
c3QvcG9zdGdyZXNxbC5jb25mDQoNCnBnX2N0bCBzdGFydCAtRCBkYXRhX3Rl
c3QgLW8gIi1wIDU0MzEiDQpzbGVlcCAzDQpwc3FsIC1VIHBvc3RncmVzIC1o
IDEyNy4wLjAuMSAtcCA1NDMxIHBvc3RncmVzIC0xYyAiQUxURVIgUk9MRSBw
b3N0Z3JlcwpQQVNTV09SRCAncGFzc3dvcmQnOyINCnBnX2N0bCBzdG9wIC1E
IGRhdGFfdGVzdA0KDQpjcCBkYXRhX3Rlc3QvcGdfaGJhLmNvbmYgZGF0YV90
ZXN0L3BnX2hiYS5iYWsNCnNlZCAtZSAnL3RydXN0L3MvMzIgICAgICAgICAg
ICB0cnVzdC8zMiAgICAgICAgICAgIG1kNS9nJyA8CmRhdGFfdGVzdC9wZ19o
YmEuYmFrID4gZGF0YV90ZXN0L3BnX2hiYS5jb25mDQplY2hvICJob3N0ICAg
IGFsbCAgICAgICAgICAgICBhbGwgICAgICAgICAgICAgMTkyLjE2OC4wLjAv
MTYgICAgICAgICAgICBtZDUiCj4+IGRhdGFfdGVzdC9wZ19oYmEuY29uZg0K
DQpwZ19jdGwgc3RhcnQgLUQgZGF0YV90ZXN0IC1vICItcCA1NDMxIC1OIDEw
MDAiDQpzbGVlcCAzDQpwaWRzPSIiDQplY2hvICIxMjcuMC4wLjE6NTQzMTpw
b3N0Z3Jlczpwb3N0Z3JlczpwYXNzd29yZCIgPiAuL3BncGFzcw0KY2htb2Qg
MDYwMCAuL3BncGFzcw0KZXhwb3J0IFBHUEFTU0ZJTEU9Ii4vcGdwYXNzIg0K
Zm9yIGkgaW4gYHNlcSAxIDEwMDAwYDsgZG8NCgkjZWNobyAibG9vcCAkaSIN
Cglwc3FsICJob3N0PTEyNy4wLjAuMSBkYm5hbWU9cG9zdGdyZXMgcG9ydD01
NDMxIHNzbG1vZGU9IiQxIiB1c2VyPXBvc3RncmVzIgotMWMgIlNFTEVDVCAn
dGVzdCcsIHBnX3NsZWVwKDUpOyIgPiAvZGV2L251bGwgJg0KCXBpZHM9IiRw
aWRzICQhIg0KZG9uZQ0Kd2FpdCAkcGlkcw0KcGdfY3RsIHN0b3AgLUQgZGF0
YV90ZXN0DQpgYGAKCg==

nunziotocci2000@gmail.com writes:
> I send 100 login requests to PostgreSQL, and 2-3 of them come back 2 minutes
> later saying "server closed the connection unexpectedly", and the server
> logs say "canceling authentication due to timeout".

FWIW, I couldn't reproduce this (using RHEL6, don't have a Fedora
installation at the moment).

> I tracked it down to sslmode=allow. The below script reproduces the
> problem.

Since you haven't done anything to enable SSL in your test server,
sslmode=allow shouldn't have any effect except to allow libpq to
retry a failed connection attempt one time.  libpq is pretty
simple-minded about that and will retry no matter what the specific
error report is, in particular it would do so for "too many clients".
So basically this ought to just increase the number of "too many clients"
failures you get.  I wonder whether you are running into kernel
resource limits like number of processes or number of open files.
I was able to get some "fork failed: Resource temporarily unavailable"
type errors if I pushed max_connections high enough, but no unexpected
behavior.

            regards, tom lane