Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit413d34b

Browse files
committed
Add configuration parameter ssl_renegotiation_limit to control
how often we do SSL session key renegotiation. Can be set to0 to disable renegotiation completely, which is required ifa broken SSL library is used (broken patches toCVE-2009-3555a known cause) or when using a client library that can't dorenegotiation.
1 parent0ccc515 commit413d34b

File tree

4 files changed

+45
-6
lines changed

4 files changed

+45
-6
lines changed

‎doc/src/sgml/config.sgml

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.252 2010/02/17 04:19:37 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.253 2010/02/25 13:26:15 mha Exp $ -->
22

33
<chapter Id="runtime-config">
44
<title>Server Configuration</title>
@@ -606,6 +606,32 @@ SET ENABLE_SEQSCAN TO OFF;
606606
</listitem>
607607
</varlistentry>
608608

609+
<varlistentry id="guc-ssl-renegotiation-limit" xreflabel="ssl_renegotiation_limit">
610+
<term><varname>ssl_renegotiation_limit</varname> (<type>int</type>)</term>
611+
<indexterm>
612+
<primary><varname>ssl_renegotiation_limit</> configuration parameter</primary>
613+
</indexterm>
614+
<listitem>
615+
<para>
616+
Specifies how much data can flow over an <acronym>SSL</> encrypted connection
617+
before renegotiation of the session will take place. Renegotiation of the
618+
session decreases the chance of doing cryptanalysis when large amounts of data
619+
are sent, but it also carries a large performance penalty. The sum of
620+
sent and received traffic is used to check the limit. If the parameter is
621+
set to 0, renegotiation is disabled. The default is <literal>512MB</>.
622+
</para>
623+
<note>
624+
<para>
625+
SSL libraries from before November 2009 are insecure when using SSL
626+
renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix
627+
for this vulnerability, some vendors also shipped SSL libraries incapable
628+
of doing renegotiation. If any of these libraries are in use on the client
629+
or server, SSL renegotiation should be disabled.
630+
</para>
631+
</note>
632+
</listitem>
633+
</varlistentry>
634+
609635
<varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">
610636
<term><varname>ssl_ciphers</varname> (<type>string</type>)</term>
611637
<indexterm>

‎src/backend/libpq/be-secure.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.97 2010/02/18 11:13:45 heikki Exp $
14+
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.98 2010/02/2513:26:15 mha Exp $
1515
*
1616
* Since the server static private key ($DataDir/server.key)
1717
* will normally be stored unencrypted so that the database
@@ -93,13 +93,14 @@ static void close_SSL(Port *);
9393
staticconstchar*SSLerrmessage(void);
9494
#endif
9595

96-
#ifdefUSE_SSL
9796
/*
9897
*How much data can be sent across a secure connection
9998
*(total in both directions) before we require renegotiation.
99+
*Set to 0 to disable renegotiation completely.
100100
*/
101-
#defineRENEGOTIATION_LIMIT (512 * 1024 * 1024)
101+
intssl_renegotiation_limit;
102102

103+
#ifdefUSE_SSL
103104
staticSSL_CTX*SSL_context=NULL;
104105
staticboolssl_loaded_verify_locations= false;
105106

@@ -320,7 +321,7 @@ secure_write(Port *port, void *ptr, size_t len)
320321
{
321322
interr;
322323

323-
if (port->count>RENEGOTIATION_LIMIT)
324+
if (ssl_renegotiation_limit&&port->count>ssl_renegotiation_limit*1024L)
324325
{
325326
SSL_set_session_id_context(port->ssl, (void*)&SSL_context,
326327
sizeof(SSL_context));

‎src/backend/utils/misc/guc.c

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
* Written by Peter Eisentraut <peter_e@gmx.net>.
1111
*
1212
* IDENTIFICATION
13-
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.541 2010/02/17 04:19:40 tgl Exp $
13+
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.542 2010/02/25 13:26:15 mha Exp $
1414
*
1515
*--------------------------------------------------------------------
1616
*/
@@ -117,6 +117,7 @@ extern char *temp_tablespaces;
117117
externboolsynchronize_seqscans;
118118
externboolfullPageWrites;
119119
externintvacuum_defer_cleanup_age;
120+
externintssl_renegotiation_limit;
120121

121122
inttrace_recovery_messages=LOG;
122123

@@ -1968,6 +1969,16 @@ static struct config_int ConfigureNamesInt[] =
19681969
0,0,INT_MAX,assign_tcp_keepalives_interval,show_tcp_keepalives_interval
19691970
},
19701971

1972+
{
1973+
{"ssl_renegotiation_limit",PGC_USERSET,CONN_AUTH_SECURITY,
1974+
gettext_noop("Set the amount of traffic to send and receive before renegotiating the encryption keys."),
1975+
NULL,
1976+
GUC_UNIT_KB,
1977+
},
1978+
&ssl_renegotiation_limit,
1979+
512*1024,0,MAX_KILOBYTES,NULL,NULL
1980+
},
1981+
19711982
{
19721983
{"tcp_keepalives_count",PGC_USERSET,CLIENT_CONN_OTHER,
19731984
gettext_noop("Maximum number of TCP keepalive retransmits."),

‎src/backend/utils/misc/postgresql.conf.sample

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,7 @@
8080
#ssl = off# (change requires restart)
8181
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'# allowed SSL ciphers
8282
# (change requires restart)
83+
#ssl_renegotiation_limit = 512MB# amount of data between renegotiations
8384
#password_encryption = on
8485
#db_user_namespace = off
8586

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp