diff options
| author | Magnus Hagander <magnus@hagander.net> | 2010-02-25 13:26:26 +0000 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2010-02-25 13:26:26 +0000 |
| commit | 5ea449e06e78544818716a4342c23934b9e25d5a (patch) | |
| tree | 405c1628b37e9c221c36e3f17b0f1905811b99a4 /doc/src | |
| parent | 29667c8536fc99472d22ac617dd965bf5c4f1c5f (diff) | |
Add configuration parameter ssl_renegotiation_limit to control
how often we do SSL session key renegotiation. Can be set to
0 to disable renegotiation completely, which is required if
a broken SSL library is used (broken patches to CVE-2009-3555
a known cause) or when using a client library that can't do
renegotiation.
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/config.sgml | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 0864465f32a..f4c219373c9 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.220.2.1 2009/08/24 20:08:40 tgl Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.220.2.2 2010/02/25 13:26:26 mha Exp $ --> <chapter Id="runtime-config"> <title>Server Configuration</title> @@ -580,6 +580,32 @@ SET ENABLE_SEQSCAN TO OFF; </listitem> </varlistentry> + <varlistentry id="guc-ssl-renegotiation-limit" xreflabel="ssl_renegotiation_limit"> + <term><varname>ssl_renegotiation_limit</varname> (<type>int</type>)</term> + <indexterm> + <primary><varname>ssl_renegotiation_limit</> configuration parameter</primary> + </indexterm> + <listitem> + <para> + Specifies how much data can flow over an <acronym>SSL</> encrypted connection + before renegotiation of the session will take place. Renegotiation of the + session decreases the chance of doing cryptanalysis when large amounts of data + are sent, but it also carries a large performance penalty. The sum of + sent and received traffic is used to check the limit. If the parameter is + set to 0, renegotiation is disabled. The default is <literal>512MB</>. + </para> + <note> + <para> + SSL libraries from before November 2009 are insecure when using SSL + renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix + for this vulnerability, some vendors also shipped SSL libraries incapable + of doing renegotiation. If any of these libraries are in use on the client + or server, SSL renegotiation should be disabled. + </para> + </note> + </listitem> + </varlistentry> + <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers"> <term><varname>ssl_ciphers</varname> (<type>string</type>)</term> <indexterm> |