fix(postgresql-proxy): prevent SSL COPY stalls by draining pending SSL buffer (#12)

nik-localstack · GitHub Copilot · claude · web-flow · commit 5ade47a968ba · 2026-05-13T10:25:00.000+03:00
* fix(postgresql-proxy): prevent SSL COPY stalls by draining nonblocking reads
* chore: bump version to 0.3.1 and update changelog

---------

Co-authored-by: GitHub Copilot &lt;copilot@github.com&gt;
Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -55,6 +55,9 @@ If you want to test it, do this. Otherwise scroll down for instructions on how t
   ```
 
 ### Changelog
+- v0.3.1
+  - Fix SSL COPY stalls by draining pending SSL buffer after recv [#11](https://github.com/localstack/postgresql-proxy/pull/11)
+  - Fix intermittent `BlockingIOError` on macOS during SSL negotiation
 - v0.3.0
   - Add support for SSL connections [#9](https://github.com/localstack/postgresql-proxy/pull/9)
 - v0.2.1
diff --git a/postgresql_proxy/proxy.py b/postgresql_proxy/proxy.py
@@ -130,6 +130,9 @@ def accept_wrapper(self, sock: socket.socket):
 
         # Accept the raw connection
         clientsocket, address = sock.accept()
+        # On macOS, accepted sockets inherit O_NONBLOCK from the listening socket.
+        # SSL negotiation uses blocking recv, so we must set blocking explicitly here.
+        clientsocket.setblocking(True)
 
         # Check if SSL is enabled for this proxy
         if self.ssl_context:
@@ -234,6 +237,15 @@ def service_connection(self, key: SelectorKeyProxy, mask):
                 if recv_data:
                     LOG.debug('%s received data:\n%s', conn.name, recv_data)
                     conn.received(recv_data)
+                    # excerpt from https://docs.python.org/3/library/ssl.html#ssl-nonblocking
+                    # Conversely, since the SSL layer has its own framing, a SSL socket may still have data available
+                    # for reading without select() being aware of it. Therefore, you should first call SSLSocket.recv()
+                    # to drain any potentially available data, and then only block on a select() call if still necessary.
+                    while isinstance(sock, ssl.SSLSocket) and sock.pending() > 0:
+                        extra = sock.recv(4096)
+                        if extra:
+                            LOG.debug('%s received pending SSL data:\n%s', conn.name, extra)
+                            conn.received(extra)
                 else:
                     self._unregister_conn(conn)
                     LOG.debug('%s connection closing %s', conn.name, conn.address)
diff --git a/setup.py b/setup.py
@@ -10,7 +10,7 @@
 
     setup(
         name='postgresql-proxy',
-        version='0.3.0',
+        version='0.3.1',
         description='Postgresql Proxy',
         packages=find_packages(exclude=('tests', 'tests.*')),
         install_requires=install_requires,
