From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Sean Chittenden <sean(at)chittenden(dot)org> |
Cc: | pgsql-patches(at)postgresql(dot)org |
Subject: | Re: Slightly improved SSL bits... |
Date: | 2003-06-11 15:06:01 |
Message-ID: | 200306111506.h5BF61A23753@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
Patch applied. Thanks.
---------------------------------------------------------------------------
Sean Chittenden wrote:
> Well, the discussion about SSL a bit back perked my interest and I did
> some reading on the subject.
>
> 1) PostgreSQL uses ephemeral keying, for its connections (good thing)
>
> 2) PostgreSQL doesn't set the cipher list that it allows (bad thing,
> fixed)
>
> 3) PostgreSQL's renegotiation code wasn't text book correct (could be
> bad, fixed)
>
> 4) The rate of renegotiating was insanely low (as Tom pointed out, set
> to a more reasonable level)
>
> I haven't checked around much to see if there are any other SSL bits
> that need some review, but I'm doing some OpenSSL work right now
> and'll send patches for improvements along the way (if I find them).
> At the very least, the changes in this patch will make security folks
> happier for sure. The constant renegotiation of sessions was likely a
> boon to systems that had bad entropy gathering means (read: Slowaris
> /dev/rand|/dev/urand != ANDIrand). The new limit for renegotiations
> is 512MB which should be much more reasonable.
>
> -sc
>
> --
> Sean Chittenden
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Chris Campbell | 2003-06-11 16:29:13 | Re: Adding Rendezvous support to postmaster |
Previous Message | Bruce Momjian | 2003-06-11 15:03:50 | Re: Resend of encoding docs patch |