From f8bd81b4cb6970c784e5c8250861df1e09cf323e Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Thu, 25 Feb 2010 13:26:19 +0000 Subject: Add configuration parameter ssl_renegotiation_limit to control how often we do SSL session key renegotiation. Can be set to 0 to disable renegotiation completely, which is required if a broken SSL library is used (broken patches to CVE-2009-3555 a known cause) or when using a client library that can't do renegotiation. --- src/backend/libpq/be-secure.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src/backend/libpq/be-secure.c') diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index df730b658c6..3612f5be0e4 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.74.2.5 2009/12/30 03:46:08 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.74.2.6 2010/02/25 13:26:19 mha Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -117,13 +117,14 @@ static void close_SSL(Port *); static const char *SSLerrmessage(void); #endif -#ifdef USE_SSL /* * How much data can be sent across a secure connection * (total in both directions) before we require renegotiation. + * Set to 0 to disable renegotiation completely. */ -#define RENEGOTIATION_LIMIT (512 * 1024 * 1024) +int ssl_renegotiation_limit; +#ifdef USE_SSL static SSL_CTX *SSL_context = NULL; #endif @@ -332,7 +333,7 @@ secure_write(Port *port, void *ptr, size_t len) { int err; - if (port->count > RENEGOTIATION_LIMIT) + if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024L) { SSL_set_session_id_context(port->ssl, (void *) &SSL_context, sizeof(SSL_context)); -- cgit v1.2.3