-
+
Server Configuration
+
+ ssl_renegotiation_limit (int)
+
+
ssl_renegotiation_limit configuration parameter+
+
+ Specifies how much data can flow over an
SSL encrypted connection+ before renegotiation of the session will take place. Renegotiation of the
+ session decreases the chance of doing cryptanalysis when large amounts of data
+ are sent, but it also carries a large performance penalty. The sum of
+ sent and received traffic is used to check the limit. If the parameter is
+ set to 0, renegotiation is disabled. The default is 512MB.
+
+
+ SSL libraries from before November 2009 are insecure when using SSL
+ renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix
+ for this vulnerability, some vendors also shipped SSL libraries incapable
+ of doing renegotiation. If any of these libraries are in use on the client
+ or server, SSL renegotiation should be disabled.
+
+
+
+
+
ssl_ciphers (string)
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.97 2010/02/18 11:13:45 heikki Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.98 2010/02/25 13:26:15 mha Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
static const char *SSLerrmessage(void);
#endif
-#ifdef USE_SSL
/*
* How much data can be sent across a secure connection
* (total in both directions) before we require renegotiation.
+ * Set to 0 to disable renegotiation completely.
*/
-#define RENEGOTIATION_LIMIT (512 * 1024 * 1024)
+int ssl_renegotiation_limit;
+#ifdef USE_SSL
static SSL_CTX *SSL_context = NULL;
static bool ssl_loaded_verify_locations = false;
{
int err;
- if (port->count > RENEGOTIATION_LIMIT)
+ if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024L)
{
SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
sizeof(SSL_context));
* Written by Peter Eisentraut
. *
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.541 2010/02/17 04:19:40 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.542 2010/02/25 13:26:15 mha Exp $
*
*--------------------------------------------------------------------
*/
extern bool synchronize_seqscans;
extern bool fullPageWrites;
extern int vacuum_defer_cleanup_age;
+extern int ssl_renegotiation_limit;
int trace_recovery_messages = LOG;
0, 0, INT_MAX, assign_tcp_keepalives_interval, show_tcp_keepalives_interval
},
+ {
+ {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY,
+ gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."),
+ NULL,
+ GUC_UNIT_KB,
+ },
+ &ssl_renegotiation_limit,
+ 512 * 1024, 0, MAX_KILOBYTES, NULL, NULL
+ },
+
{
{"tcp_keepalives_count", PGC_USERSET, CLIENT_CONN_OTHER,
gettext_noop("Maximum number of TCP keepalive retransmits."),
#ssl = off # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart)
+#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
#password_encryption = on
#db_user_namespace = off
projects / postgresql.git / commitdiff