| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Cc: | Noah Misch <noah(at)leadboat(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Re: Removing SSL renegotiation (Was: Should we back-patch SSL renegotiation fixes?) |
| Date: | 2015-07-11 12:28:49 |
| Message-ID: | 20150711122849.GN26521@alap3.anarazel.de |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2015-07-11 21:09:05 +0900, Michael Paquier wrote:
> Something like the patches attached
Thanks for that!
> could be considered, one is for master
> and REL9_5_STABLE to remove ssl_renegotiation_limit, the second one for
> ~REL9_4_STABLE to change the default to 0.
> diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
> index c669f75..16c0ce5 100644
> --- a/doc/src/sgml/config.sgml
> +++ b/doc/src/sgml/config.sgml
> @@ -1040,7 +1040,7 @@ include_dir 'conf.d'
> cryptanalysis when large amounts of traffic can be examined, but it
> also carries a large performance penalty. The sum of sent and received
> traffic is used to check the limit. If this parameter is set to 0,
> - renegotiation is disabled. The default is <literal>512MB</>.
> + renegotiation is disabled. The default is <literal>0</>.
I think we should put in a warning or at least note about the dangers of
enabling it (connection breaks, exposure to several open openssl bugs).
Thanks,
Andres
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2015-07-11 12:31:25 | strange plan with bitmap heap scan and multiple partial indexes |
| Previous Message | Michael Paquier | 2015-07-11 12:09:05 | Re: Re: Removing SSL renegotiation (Was: Should we back-patch SSL renegotiation fixes?) |