forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commitdda04b9
committed
Disallow SSL session tickets.
We don't actually support session tickets, since we do not create an SSLsession identifier. But it seems that OpenSSL will issue a session ticketon-demand anyway, which will then fail when used. This results inreconnection failures when using ticket-aware client-side SSL libraries(such as the Npgsql .NET driver), as reported by Shay Rojansky.To fix, just tell OpenSSL not to issue tickets. At some point in thefar future, we might consider enabling tickets instead. But the securityimplications of that aren't entirely clear; and besides it would havelittle benefit except for very short-lived database connections, which isSomething We're Bad At anyhow. It would take a lot of other work to getto a point where that would really be an exciting thing to do.While at it, also tell OpenSSL not to use a session cache. This doesn'treally do anything, since a backend would never populate the cache anyway,but it might gain some micro-efficiencies and/or reduce securityexposures.Patch by me, per discussion with Heikki Linnakangas and Shay Rojansky.Back-patch to all supported versions.Discussion:https://postgr.es/m/CADT4RqBU8N-csyZuzaook-c795dt22Zcwg1aHWB6tfVdAkodZA@mail.gmail.com1 parentb7d1bc8 commitdda04b9
1 file changed
+8
-0
lines changedLines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
935 | 935 | | |
936 | 936 | | |
937 | 937 | | |
| 938 | + | |
| 939 | + | |
| 940 | + | |
| 941 | + | |
| 942 | + | |
| 943 | + | |
| 944 | + | |
| 945 | + | |
938 | 946 | | |
939 | 947 | | |
940 | 948 | | |
| |||
0 commit comments
Comments
(0)