On Sat, Jul 11, 2015 at 9:28 PM, Andres Freund <and...@anarazel.de> wrote:
> On 2015-07-11 21:09:05 +0900, Michael Paquier wrote: > > Something like the patches attached > > Thanks for that! > > > could be considered, one is for master > > and REL9_5_STABLE to remove ssl_renegotiation_limit, the second one for > > ~REL9_4_STABLE to change the default to 0. > > > diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml > > index c669f75..16c0ce5 100644 > > --- a/doc/src/sgml/config.sgml > > +++ b/doc/src/sgml/config.sgml > > @@ -1040,7 +1040,7 @@ include_dir 'conf.d' > > cryptanalysis when large amounts of traffic can be examined, > but it > > also carries a large performance penalty. The sum of sent and > received > > traffic is used to check the limit. If this parameter is set to > 0, > > - renegotiation is disabled. The default is <literal>512MB</>. > > + renegotiation is disabled. The default is <literal>0</>. > > I think we should put in a warning or at least note about the dangers of > enabling it (connection breaks, exposure to several open openssl bugs). > This sounds like a good idea to me. Here is an idea: + <warning> + <para> + Enabling <varname>ssl_renegotiation_limit</> can cause various + problems endangering the stability of a <productname>PostgreSQL</> + instance like connection breaking suddendly and exposes the + server to bugs related to the internal implementation of renegotiation + done in the SSL libraries used. + </para> + </warning> Attached is v2 for ~9.4. Regards, -- Michael
20150712_ssl_renegotiation_remove-94_v2.patch
Description: binary/octet-stream
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers