| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Michael Ledford <mledford(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Recent vendor SSL renegotiation patches break PostgreSQL |
| Date: | 2010-02-03 18:33:42 |
| Message-ID: | 20100203183342.GD3905@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane escribió:
> Michael Ledford <mledford(at)gmail(dot)com> writes:
> > One might argue that the current method is already weakened as it is
> > measured by the amount of data sent instead of of a length of time. A
> > session could live a long time under the 512MB threshold depending on
> > the queries that are being performed.
>
> Renegotiation after X amount of data is the recommended method AFAIK,
> because it limits the volume of data available to cryptanalysis.
> What makes you think that elapsed time is relevant at all?
FWIW I think there's another problem with streaming replication here,
which is that most data flows from client to server, so it would take
quite some time for the threshold to be reached. Note that there's no
size check in the libpq frontend code. Normally this is not an issue
because the bulk of data is expected to flow in the other direction.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2010-02-03 18:36:13 | Re: PG 9.0 and standard_conforming_strings |
| Previous Message | Magnus Hagander | 2010-02-03 18:31:54 | Re: Streaming replication and SSL |