From f8bd81b4cb6970c784e5c8250861df1e09cf323e Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Thu, 25 Feb 2010 13:26:19 +0000 Subject: Add configuration parameter ssl_renegotiation_limit to control how often we do SSL session key renegotiation. Can be set to 0 to disable renegotiation completely, which is required if a broken SSL library is used (broken patches to CVE-2009-3555 a known cause) or when using a client library that can't do renegotiation. --- doc/src/sgml/config.sgml | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'doc/src') diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index f6d446553ca..770b95ab287 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1,4 +1,4 @@ - + Server Configuration @@ -569,6 +569,32 @@ SET ENABLE_SEQSCAN TO OFF; + + ssl_renegotiation_limit (int) + + ssl_renegotiation_limit configuration parameter + + + + Specifies how much data can flow over an SSL encrypted connection + before renegotiation of the session will take place. Renegotiation of the + session decreases the chance of doing cryptanalysis when large amounts of data + are sent, but it also carries a large performance penalty. The sum of + sent and received traffic is used to check the limit. If the parameter is + set to 0, renegotiation is disabled. The default is 512MB. + + + + SSL libraries from before November 2009 are insecure when using SSL + renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix + for this vulnerability, some vendors also shipped SSL libraries incapable + of doing renegotiation. If any of these libraries are in use on the client + or server, SSL renegotiation should be disabled. + + + + + password_encryption (boolean) -- cgit v1.2.3