From 8b33d83cc59d38a83f7cd4abe7738835e24f8624 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 25 Feb 2010 23:45:29 +0000 Subject: Back-patch addition of ssl_renegotiation_limit into 7.4 through 8.1. --- src/backend/libpq/be-secure.c | 10 ++++++---- src/backend/utils/misc/guc.c | 12 +++++++++++- src/backend/utils/misc/postgresql.conf.sample | 2 ++ 3 files changed, 19 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 589424c6dd4..42f62caff0d 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.43.2.6 2009/12/09 06:37:09 mha Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.43.2.7 2010/02/25 23:45:28 tgl Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -112,14 +112,16 @@ static void close_SSL(Port *); static const char *SSLerrmessage(void); #endif -#ifdef USE_SSL /* * How much data can be sent across a secure connection * (total in both directions) before we require renegotiation. + * Set to 0 to disable renegotiation completely. */ -#define RENEGOTIATION_LIMIT (512 * 1024 * 1024) +int ssl_renegotiation_limit; + #define CA_PATH NULL +#ifdef USE_SSL static SSL_CTX *SSL_context = NULL; #endif @@ -318,7 +320,7 @@ secure_write(Port *port, void *ptr, size_t len) #ifdef USE_SSL if (port->ssl) { - if (port->count > RENEGOTIATION_LIMIT) + if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024L) { SSL_set_session_id_context(port->ssl, (void *) &SSL_context, sizeof(SSL_context)); diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index d5da9b77a11..6d83b4722e2 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut . * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.7 2009/12/09 21:59:07 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.8 2010/02/25 23:45:28 tgl Exp $ * *-------------------------------------------------------------------- */ @@ -75,6 +75,7 @@ extern int CheckPointTimeout; extern int CommitDelay; extern int CommitSiblings; extern char *preload_libraries_string; +extern int ssl_renegotiation_limit; #ifdef HAVE_SYSLOG extern char *Syslog_facility; @@ -976,6 +977,15 @@ static struct config_int ConfigureNamesInt[] = DEF_PGPORT, 1, 65535, NULL, NULL }, + { + {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY, + gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."), + NULL + }, + &ssl_renegotiation_limit, + 512 * 1024, 0, INT_MAX / 1024, NULL, NULL + }, + { {"unix_socket_permissions", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Sets the access permissions of the Unix-domain socket."), diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index a211226093f..9cf6f0592a0 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -44,6 +44,8 @@ #authentication_timeout = 60 # 1-600, in seconds #ssl = false +#ssl_renegotiation_limit = 524288 # amount of data between renegotiations + # in kilobytes #password_encryption = true #krb_server_keyfile = '' #db_user_namespace = false -- cgit v1.2.3