diff options
| -rw-r--r-- | doc/src/sgml/config.sgml | 10 | ||||
| -rw-r--r-- | src/backend/utils/misc/guc.c | 2 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 2 |
3 files changed, 11 insertions, 3 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index c9276a36af0..0dcfdf78595 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -858,7 +858,7 @@ include 'filename' cryptanalysis when large amounts of traffic can be examined, but it also carries a large performance penalty. The sum of sent and received traffic is used to check the limit. If this parameter is set to 0, - renegotiation is disabled. The default is <literal>512MB</>. + renegotiation is disabled. The default is <literal>0</>. </para> <note> <para> @@ -870,6 +870,14 @@ include 'filename' disabled. </para> </note> + + <warning> + <para> + Due to bugs in <productname>OpenSSL</> enabling ssl renegotiation, by + configuring a non-zero <varname>ssl_renegotiation_limit</>, is likely + to lead to problems like long-lived connections breaking. + </para> + </warning> </listitem> </varlistentry> diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 2b6527f012a..61cde68a6c3 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -2377,7 +2377,7 @@ static struct config_int ConfigureNamesInt[] = GUC_UNIT_KB, }, &ssl_renegotiation_limit, - 512 * 1024, 0, MAX_KILOBYTES, + 0, 0, MAX_KILOBYTES, NULL, NULL, NULL }, diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 12f1cbaa1f8..0bf2554a1d4 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -81,7 +81,7 @@ #ssl = off # (change requires restart) #ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers # (change requires restart) -#ssl_renegotiation_limit = 512MB # amount of data between renegotiations +#ssl_renegotiation_limit = 0 # amount of data between renegotiations #ssl_cert_file = 'server.crt' # (change requires restart) #ssl_key_file = 'server.key' # (change requires restart) #ssl_ca_file = '' # (change requires restart) |